summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
authorjeschli <jeschli@gmail.com>2019-06-25 22:43:02 +0200
committerjeschli <jeschli@gmail.com>2019-06-25 22:43:02 +0200
commit1cfc265bbfa14b7d9fc6479bcd9cf541e7cdd5eb (patch)
tree18b95faba964f8072d23afcadcadda4f3eb276af /krebs/3modules
parent8079877eee34d0a658e8419adfa8987e648388a8 (diff)
parent1d23dceb5d2c536790a00fcde30743b958f1018f (diff)
Merge branch 'master' of prism.r:stockholm
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/exim-retiolum.nix92
-rw-r--r--krebs/3modules/exim-smarthost.nix6
-rw-r--r--krebs/3modules/exim.nix2
-rw-r--r--krebs/3modules/external/default.nix187
-rw-r--r--krebs/3modules/external/palo.nix6
-rw-r--r--krebs/3modules/external/ssh/0x4a6f.pub1
-rw-r--r--krebs/3modules/external/tinc/horisa.pub8
-rw-r--r--krebs/3modules/github-hosts-sync.nix28
-rw-r--r--krebs/3modules/github-known-hosts.nix10
-rw-r--r--krebs/3modules/lass/default.nix1
-rw-r--r--krebs/3modules/makefu/default.nix24
-rw-r--r--krebs/3modules/makefu/wiregrill/gum.pub2
-rw-r--r--krebs/3modules/makefu/wiregrill/rockit.pub1
-rw-r--r--krebs/3modules/syncthing.nix99
14 files changed, 366 insertions, 101 deletions
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index e08024977..118a8b2d5 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -1,15 +1,17 @@
-{ config, pkgs, lib, ... }:
-
with import <stockholm/lib>;
-let
+{ config, pkgs, lib, ... }: let
cfg = config.krebs.exim-retiolum;
- out = {
- options.krebs.exim-retiolum = api;
- config = lib.mkIf cfg.enable imp;
- };
+ # Due to improvements to the JSON notation, braces around top-level objects
+ # are not necessary^Wsupported by rspamd's parser when including files:
+ # https://github.com/rspamd/rspamd/issues/2674
+ toMostlyJSON = value:
+ assert typeOf value == "set";
+ (s: substring 1 (stringLength s - 2) s)
+ (toJSON value);
- api = {
+in {
+ options.krebs.exim-retiolum = {
enable = mkEnableOption "krebs.exim-retiolum";
local_domains = mkOption {
type = with types; listOf hostname;
@@ -28,22 +30,70 @@ let
"*.r"
];
};
+ rspamd = {
+ enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
+ default = false;
+ };
+ locals = {
+ logging = {
+ level = mkOption {
+ type = types.enum [
+ "error"
+ "warning"
+ "notice"
+ "info"
+ "debug"
+ "silent"
+ ];
+ default = "notice";
+ };
+ };
+ options = {
+ local_networks = mkOption {
+ type = types.listOf types.cidr;
+ default = [
+ config.krebs.build.host.nets.retiolum.ip4.prefix
+ config.krebs.build.host.nets.retiolum.ip6.prefix
+ ];
+ };
+ };
+ };
+ };
};
-
- imp = {
+ imports = [
+ {
+ config = lib.mkIf cfg.rspamd.enable {
+ services.rspamd.enable = true;
+ services.rspamd.locals =
+ mapAttrs'
+ (name: value: nameValuePair "${name}.inc" {
+ text = toMostlyJSON value;
+ })
+ cfg.rspamd.locals;
+ users.users.${config.krebs.exim.user.name}.extraGroups = [
+ config.services.rspamd.group
+ ];
+ };
+ }
+ ];
+ config = lib.mkIf cfg.enable {
krebs.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.krebs.tinc.retiolum.enable;
- ''
+ /* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
+ ${optionalString cfg.rspamd.enable /* exim */ ''
+ spamd_address = /run/rspamd/rspamd.sock variant=rspamd
+ ''}
+
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@@ -72,6 +122,24 @@ let
acl_check_data:
+ ${optionalString cfg.rspamd.enable /* exim */ ''
+ accept condition = ''${if eq{$interface_port}{587}}
+
+ warn remove_header = ${concatStringsSep " : " [
+ "x-spam"
+ "x-spam-report"
+ "x-spam-score"
+ ]}
+
+ warn
+ spam = nobody:true
+
+ warn
+ condition = ''${if !eq{$spam_action}{no action}}
+ add_header = X-Spam: Yes
+ add_header = X-Spam-Report: $spam_report
+ add_header = X-Spam-Score: $spam_score
+ ''}
accept
@@ -118,4 +186,4 @@ let
'';
};
};
-in out
+}
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 5f93ae937..e988fb563 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -121,7 +121,7 @@ let
};
krebs.exim = {
enable = true;
- config = ''
+ config = /* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
@@ -233,7 +233,7 @@ let
remote_smtp:
driver = smtp
- ${optionalString (cfg.dkim != []) (indent ''
+ ${optionalString (cfg.dkim != []) (indent /* exim */ ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
@@ -262,7 +262,7 @@ let
begin rewrite
begin authenticators
- ${concatStringsSep "\n" (mapAttrsToList (name: text: ''
+ ${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ ''
${name}:
${indent text}
'') cfg.authenticators)}
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
index cfcbbc438..83d88cb0d 100644
--- a/krebs/3modules/exim.nix
+++ b/krebs/3modules/exim.nix
@@ -37,7 +37,7 @@ in {
};
config = lib.mkIf cfg.enable {
environment = {
- etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" ''
+ etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ ''
exim_user = ${cfg.user.name}
exim_group = ${cfg.group.name}
exim_path = /run/wrappers/bin/exim
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 9bfc920a3..1720811d9 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -43,6 +43,31 @@ in {
};
};
};
+ wilde = {
+ owner = config.krebs.users.kmein;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.2.4";
+ aliases = [ "wilde.r" ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
+ g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
+ 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
+ uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
+ a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
+ IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
+ C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
+ sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
+ 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
+ 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
+ lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
+ QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ };
dpdkm = {
owner = config.krebs.users.Mic92;
nets = rec {
@@ -167,6 +192,20 @@ in {
};
};
};
+ horisa = {
+ cores = 2;
+ owner = config.krebs.users.ulrich; # main laptop
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.226.213";
+ ip6.addr = "42:0:e644:9099:4f8:b9aa:3856:4e85";
+ aliases = [
+ "horisa.r"
+ ];
+ tinc.pubkey = tinc-for "horisa";
+ };
+ };
+ };
idontcare = {
owner = config.krebs.users.Mic92;
nets = rec {
@@ -190,6 +229,35 @@ in {
};
};
};
+ inspector = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ internet = {
+ ip4.addr = "141.76.44.154";
+ aliases = [ "inspector.i" ];
+ };
+ retiolum = {
+ via = internet;
+ ip4.addr = "10.243.29.172";
+ aliases = [ "inspector.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
+ EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
+ 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
+ m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
+ WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
+ eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
+ OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
+ ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
+ B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
+ q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
+ 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
justraute = {
owner = config.krebs.users.raute; # laptop
nets = {
@@ -202,6 +270,30 @@ in {
};
};
};
+ matchbox = {
+ owner = config.krebs.users.Mic92;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.29.176";
+ aliases = [ "matchbox.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
+ VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
+ nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
+ TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
+ TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
+ yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
+ 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
+ Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
+ bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
+ nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
+ /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
qubasa = {
owner = config.krebs.users.qubasa;
nets = {
@@ -227,6 +319,13 @@ in {
};
};
};
+ rilke = {
+ owner = config.krebs.users.kmein;
+ nets.wiregrill = {
+ aliases = [ "rilke.w" ];
+ wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
+ };
+ };
rock = {
owner = config.krebs.users.Mic92;
nets = {
@@ -365,56 +464,53 @@ in {
};
};
};
- inspector = {
- owner = config.krebs.users.Mic92;
- nets = rec {
- internet = {
- ip4.addr = "141.76.44.154";
- aliases = [ "inspector.i" ];
- };
+ uppreisn = {
+ owner = config.krebs.users.ilmu;
+ nets = {
retiolum = {
- via = internet;
- ip4.addr = "10.243.29.172";
- aliases = [ "inspector.r" ];
+ ip4.addr = "10.243.42.13";
+ aliases = [ "ilmu.r" ];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
- EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
- 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
- m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
- WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
- eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
- OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
- ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
- B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
- q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
- 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
- -----END RSA PUBLIC KEY-----
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax
+ BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt
+ gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea
+ gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv
+ qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j
+ ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b
+ WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei
+ STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI
+ d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0
+ fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo
+ 9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq
+ lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ==
+ -----END PUBLIC KEY-----
'';
};
};
};
- matchbox = {
- owner = config.krebs.users.Mic92;
+ unnamed = {
+ owner = config.krebs.users.pie_;
nets = {
retiolum = {
- ip4.addr = "10.243.29.176";
- aliases = [ "matchbox.r" ];
+ ip4.addr = "10.243.3.14";
+ aliases = [ "unnamed.r" ];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
- VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
- nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
- TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
- TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
- yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
- 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
- Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
- bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
- nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
- /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ
+ 2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx
+ ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH
+ GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW
+ X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y
+ 5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD
+ PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct
+ 3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY
+ gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M
+ jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a
+ MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm
+ OxwCRYLtEweku7HLhUVTnDkCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
};
};
};
@@ -449,6 +545,9 @@ in {
mail = "dickbutt@excogitation.de";
pubkey = ssh-for "exco";
};
+ ilmu = {
+ mail = "ilmu@rishi.is";
+ };
jan = {
mail = "jan.heidbrink@posteo.de";
};
@@ -473,10 +572,14 @@ in {
mail = "shackspace.de@myvdr.de";
pubkey = ssh-for "ulrich";
};
+ "0x4a6f" = {
+ mail = "0x4a6f@shackspace.de";
+ pubkey = ssh-for "0x4a6f";
+ };
miaoski = {
};
filly = {
};
+ pie_ = {};
};
}
-
diff --git a/krebs/3modules/external/palo.nix b/krebs/3modules/external/palo.nix
index cefac0959..05808714c 100644
--- a/krebs/3modules/external/palo.nix
+++ b/krebs/3modules/external/palo.nix
@@ -34,7 +34,10 @@ in {
retiolum = {
ip4.addr = "10.243.23.3";
tinc.port = 720;
- aliases = [ "kruck.r" ];
+ aliases = [
+ "kruck.r"
+ "video.kruck.r"
+ ];
tinc.pubkey = tinc-for "palo";
};
};
@@ -49,6 +52,7 @@ in {
tinc.pubkey = tinc-for "palo";
};
};
+ syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ";
};
workhorse = {
owner = config.krebs.users.palo;
diff --git a/krebs/3modules/external/ssh/0x4a6f.pub b/krebs/3modules/external/ssh/0x4a6f.pub
new file mode 100644
index 000000000..1ea084bad
--- /dev/null
+++ b/krebs/3modules/external/ssh/0x4a6f.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMoQSUz0wcV8tnTKsYO3sO6XG6EHap8R63ihfMHkxPS
diff --git a/krebs/3modules/external/tinc/horisa.pub b/krebs/3modules/external/tinc/horisa.pub
new file mode 100644
index 000000000..06d686ce3
--- /dev/null
+++ b/krebs/3modules/external/tinc/horisa.pub
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1hhBqCku98gimv0yXr6DFwE2HUemigyqX8o7IsPOW5XT/K8o+V40
+Oxk3r0+c7IYREvug/raxoullf5TMJFzTzqzX4njgsiTs25V8D7hVT4jcRKTcXmBn
+XpjtD+tIeDW1E6dIMMDbxKCyfd/qaeg83G7gPobeFYr4JNqQLXrnotlWMO9S13UT
++EgSP2pixv/dGIqX8WRg23YumO8jZKbso/sKKFMIEOJvnh/5EcWb24+q2sDRCitP
+sWJ5j/9M1Naec/Zl27Ac2HyMWRk39F9Oo+iSbc47QvjKTEmn37P4bBg3hY9FSSFo
+M90wG/NRbw1Voz6BgGlwOAoA+Ln0rVKqDQIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 3b626dc46..0b7d56098 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -11,17 +11,25 @@ let
api = {
enable = mkEnableOption "krebs.github-hosts-sync";
- port = mkOption {
- type = types.int; # TODO port type
- default = 1028;
- };
dataDir = mkOption {
type = types.str; # TODO path (but not just into store)
default = "/var/lib/github-hosts-sync";
};
+ srcDir = mkOption {
+ type = types.str;
+ default = "${config.krebs.tinc.retiolum.confDir}/hosts";
+ };
ssh-identity-file = mkOption {
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
- default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
+ default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
+ };
+ url = mkOption {
+ type = types.str;
+ default = "git@github.com:krebs/hosts.git";
+ };
+ workTree = mkOption {
+ type = types.absolute-pathname;
+ default = "${cfg.dataDir}/cache";
};
};
@@ -30,13 +38,18 @@ let
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
- port = toString cfg.port;
+ GITHUB_HOST_SYNC_USER_MAIL = user.mail;
+ GITHUB_HOST_SYNC_USER_NAME = user.name;
+ GITHUB_HOST_SYNC_SRCDIR = cfg.srcDir;
+ GITHUB_HOST_SYNC_WORKTREE = cfg.workTree;
+ GITHUB_HOST_SYNC_URL = cfg.url;
};
serviceConfig = {
PermissionsStartOnly = "true";
SyslogIdentifier = "github-hosts-sync";
User = user.name;
- Restart = "always";
+ Type = "oneshot";
+ RemainAfterExit = true;
ExecStartPre = pkgs.writeDash "github-hosts-sync-init" ''
set -euf
install -m 0711 -o ${user.name} -d ${cfg.dataDir}
@@ -56,6 +69,7 @@ let
};
user = rec {
+ mail = "${name}@${config.krebs.build.host.name}";
name = "github-hosts-sync";
uid = genid_uint31 name;
};
diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix
index def06f17a..bae8b96bf 100644
--- a/krebs/3modules/github-known-hosts.nix
+++ b/krebs/3modules/github-known-hosts.nix
@@ -28,12 +28,22 @@
"140.82.125.*"
"140.82.126.*"
"140.82.127.*"
+ "13.114.40.48"
"13.229.188.59"
+ "13.234.176.102"
+ "13.234.210.38"
+ "13.236.229.21"
+ "13.237.44.5"
"13.250.177.223"
+ "15.164.81.167"
"18.194.104.89"
"18.195.85.27"
"35.159.8.160"
+ "52.192.72.89"
+ "52.64.108.95"
+ "52.69.186.44"
"52.74.223.119"
+ "52.78.231.108"
];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
};
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 41f3852b9..f4c8f5c6a 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -35,6 +35,7 @@ in {
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index b38c9104f..601762b93 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -143,11 +143,19 @@ in {
ci = true;
cores = 4;
nets = {
+ lan = {
+ ip4.addr = "192.168.8.11";
+ aliases = [
+ "wbob.lan"
+ "log.wbob.lan"
+ ];
+ };
retiolum = {
ip4.addr = "10.243.214.15";
aliases = [
"wbob.r"
"hydra.wbob.r"
+ "log.wbob.r"
];
};
};
@@ -182,6 +190,7 @@ in {
wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
+ mediengewitter IN CNAME over.dose.io.
'';
};
cores = 8;
@@ -196,13 +205,13 @@ in {
};
wiregrill = {
via = internet;
+ ip4.addr = "10.244.245.1";
ip6.addr = w6 "1";
- wireguard = {
- subnets = [
- (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
+ wireguard.port = 51821;
+ wireguard.subnets = [
(krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
- ];
- };
+ "10.244.245.0/24" # required for routing directly to gum via rockit
+ ];
};
retiolum = {
via = internet;
@@ -247,7 +256,6 @@ in {
cores = 1;
extraZones = {
"krebsco.de" = ''
- mediengewitter IN A ${nets.internet.ip4.addr}
flap IN A ${nets.internet.ip4.addr}
'';
};
@@ -281,6 +289,10 @@ in {
};
};
};
+ rockit = rec { # router@home
+ cores = 1;
+ nets.wiregrill.ip4.addr = "10.244.245.2";
+ };
senderechner = rec {
cores = 2;
diff --git a/krebs/3modules/makefu/wiregrill/gum.pub b/krebs/3modules/makefu/wiregrill/gum.pub
index 4a5f666cc..67d6c7216 100644
--- a/krebs/3modules/makefu/wiregrill/gum.pub
+++ b/krebs/3modules/makefu/wiregrill/gum.pub
@@ -1 +1 @@
-yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=
+A7UPKSUaCZaJ9hXv6X4jvcZ+5X+PlS1EmCwxlLBAKH0=
diff --git a/krebs/3modules/makefu/wiregrill/rockit.pub b/krebs/3modules/makefu/wiregrill/rockit.pub
new file mode 100644
index 000000000..6cb0d960d
--- /dev/null
+++ b/krebs/3modules/makefu/wiregrill/rockit.pub
@@ -0,0 +1 @@
+YmvTL4c13WS6f88ZAz2m/2deL2pnPXI0Ay3edCPE1Qc=
diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix
index 897ba1e7f..939c8fddf 100644
--- a/krebs/3modules/syncthing.nix
+++ b/krebs/3modules/syncthing.nix
@@ -2,40 +2,69 @@
let
- cfg = config.krebs.syncthing;
+ kcfg = config.krebs.syncthing;
+ scfg = config.services.syncthing;
devices = mapAttrsToList (name: peer: {
name = name;
deviceID = peer.id;
addresses = peer.addresses;
- }) cfg.peers;
+ }) kcfg.peers;
folders = mapAttrsToList ( _: folder: {
inherit (folder) path id type;
- devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
+ devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers;
rescanIntervalS = folder.rescanInterval;
fsWatcherEnabled = folder.watch;
fsWatcherDelayS = folder.watchDelay;
+ ignoreDelete = folder.ignoreDelete;
ignorePerms = folder.ignorePerms;
- }) cfg.folders;
+ }) kcfg.folders;
getApiKey = pkgs.writeDash "getAPIKey" ''
${pkgs.libxml2}/bin/xmllint \
--xpath 'string(configuration/gui/apikey)'\
- ${config.services.syncthing.dataDir}/config.xml
+ ${scfg.configDir}/config.xml
'';
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
set -efu
+
+ # XXX this assumes the GUI address to be "IPv4 address and port"
+ host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)}
+ port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)}
+
# wait for service to restart
- ${pkgs.untilport}/bin/untilport localhost 8384
+ ${pkgs.untilport}/bin/untilport "$host" "$port"
+
API_KEY=$(${getApiKey})
- CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config)
- echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] * {
- "devices": ${builtins.toJSON devices},
- "folders": ${builtins.toJSON folders}
- }' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @-
- ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST
+
+ _curl() {
+ ${pkgs.curl}/bin/curl \
+ -Ss \
+ -H "X-API-Key: $API_KEY" \
+ "http://$host:$port/rest""$@"
+ }
+
+ old_config=$(_curl /system/config)
+ new_config=${shell.escape (toJSON {
+ inherit devices folders;
+ })}
+ new_config=$(${pkgs.jq}/bin/jq -en \
+ --argjson old_config "$old_config" \
+ --argjson new_config "$new_config" \
+ '
+ $old_config * $new_config
+ ${optionalString (!kcfg.overridePeers) ''
+ * { devices: $old_config.devices }
+ ''}
+ ${optionalString (!kcfg.overrideFolders) ''
+ * { folders: $old_config.folders }
+ ''}
+ '
+ )
+ echo $new_config | _curl /system/config -d @-
+ _curl /system/restart -X POST
'';
in
@@ -45,11 +74,6 @@ in
enable = mkEnableOption "syncthing-init";
- id = mkOption {
- type = types.str;
- default = config.krebs.build.host.name;
- };
-
cert = mkOption {
type = types.nullOr types.absolute-pathname;
default = null;
@@ -60,6 +84,13 @@ in
default = null;
};
+ overridePeers = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to delete the peers which are not configured via the peers option
+ '';
+ };
peers = mkOption {
default = {};
type = types.attrsOf (types.submodule ({
@@ -80,6 +111,13 @@ in
}));
};
+ overrideFolders = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to delete the folders which are not configured via the peers option
+ '';
+ };
folders = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
@@ -120,6 +158,11 @@ in
default = 10;
};
+ ignoreDelete = mkOption {
+ type = types.bool;
+ default = false;
+ };
+
ignorePerms = mkOption {
type = types.bool;
default = true;
@@ -130,19 +173,19 @@ in
};
};
- config = (mkIf cfg.enable) {
+ config = mkIf kcfg.enable {
- systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
+ systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
preStart = ''
- ${optionalString (cfg.cert != null) ''
- cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem
- chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem
- chmod 400 ${config.services.syncthing.dataDir}/cert.pem
+ ${optionalString (kcfg.cert != null) ''
+ cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
+ chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
+ chmod 400 ${scfg.configDir}/cert.pem
''}
- ${optionalString (cfg.key != null) ''
- cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem
- chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/key.pem
- chmod 400 ${config.services.syncthing.dataDir}/key.pem
+ ${optionalString (kcfg.key != null) ''
+ cp ${toString kcfg.key} ${scfg.configDir}/key.pem
+ chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
+ chmod 400 ${scfg.configDir}/key.pem
''}
'';
};
@@ -152,7 +195,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
- User = config.services.syncthing.user;
+ User = scfg.user;
RemainAfterExit = true;
Type = "oneshot";
ExecStart = updateConfig;