summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-12-18 20:17:03 +0100
committertv <tv@krebsco.de>2018-12-18 20:17:03 +0100
commit1fa1fa53062069de970548f88ad0211b4502f18d (patch)
tree30413fa29c1c43ff7af5ea684d92e613de4af295 /krebs
parent8b4428816d1385e1dd5ec9bf0ce44ae0e284130a (diff)
parent23562e36190e07f338211541ac3d2cc77ebdbafa (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs')
-rw-r--r--krebs/2configs/binary-cache/prism.nix2
-rw-r--r--krebs/2configs/cache.nsupdate.info.nix8
-rw-r--r--krebs/3modules/cachecache.nix20
-rw-r--r--krebs/3modules/lass/default.nix104
-rw-r--r--krebs/3modules/makefu/default.nix52
-rw-r--r--krebs/3modules/makefu/ssh/ulrich.pub2
6 files changed, 89 insertions, 99 deletions
diff --git a/krebs/2configs/binary-cache/prism.nix b/krebs/2configs/binary-cache/prism.nix
index 46b386e14..51b4a1afc 100644
--- a/krebs/2configs/binary-cache/prism.nix
+++ b/krebs/2configs/binary-cache/prism.nix
@@ -3,7 +3,7 @@
{
nix = {
binaryCaches = [
- "http://cache.prism.r"
+ "https://cache.krebsco.de"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
index 056667d8c..74f345614 100644
--- a/krebs/2configs/cache.nsupdate.info.nix
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -1,4 +1,4 @@
-{lib, ... }:
+{ pkgs, lib, ... }:
with lib;
let
domain = "cache.nsupdate.info";
@@ -17,9 +17,13 @@ in {
};
krebs.cachecache = {
enable = true;
- enableSSL = false; # disable letsencrypt for testing
+ enableSSL = true; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g";
+ indexFile = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html";
+ sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0";
+ };
# assumes that the domain is reachable from the internet
virtualHost = domain;
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
index 989320480..2c2d07ff5 100644
--- a/krebs/3modules/cachecache.nix
+++ b/krebs/3modules/cachecache.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ pkgs, config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
@@ -59,15 +59,6 @@ in
'';
};
- # webRoot = mkOption {
- # type = types.str;
- # default = "/";
- # description = ''
- # Directory on virtual host that serves the cache. Must end in
- # <literal>/</literal>.
- # '';
- # };
-
resolver = mkOption {
type = types.str;
description = "Address of DNS resolver.";
@@ -82,6 +73,13 @@ in
Where nginx should store cached data.
'';
};
+ indexFile = mkOption {
+ type = types.path;
+ default = pkgs.writeText "myindex" "<html>hello world</html>";
+ description = ''
+ Path to index.html file.
+ '';
+ };
maxSize = mkOption {
type = types.str;
@@ -98,6 +96,7 @@ in
systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html
chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache
'';
@@ -143,6 +142,7 @@ in
locations."/" =
{
root = "/srv/www/nix-cache-cache";
+ index = "index.html";
extraConfig = ''
expires max;
add_header Cache-Control $nix_cache_cache_header always;
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 0d8513a69..1117dc61c 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -1,16 +1,14 @@
with import <stockholm/lib>;
{ config, ... }: let
- hostDefaults = hostName: host: flip recursiveUpdate host ({
+ hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
monitoring = true;
owner = config.krebs.users.lass;
- } // optionalAttrs (host.nets?retiolum) {
- nets.retiolum.ip6.addr =
- (krebs.genipv6 "retiolum" "lass" { inherit hostName; }).address;
- });
+ };
- wip6 = krebs.genipv6 "wirelum" "lass";
+ r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
+ w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
in {
dns.providers = {
@@ -56,6 +54,7 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.0.103";
+ ip6.addr = r6 "1";
aliases = [
"prism.r"
"cache.prism.r"
@@ -90,16 +89,16 @@ in {
-----END RSA PUBLIC KEY-----
'';
};
- wirelum = {
+ wiregrill = {
via = internet;
ip4.addr = "10.244.1.1";
- ip6.addr = (wip6 "1").address;
+ ip6.addr = w6 "1";
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
- subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ];
+ subnets = [ "10.244.1.0/24" "42:1::/32" ];
};
};
};
@@ -150,6 +149,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.81.176";
+ ip6.addr = r6 "1e1";
aliases = [
"uriel.r"
"cgit.uriel.r"
@@ -175,6 +175,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.2";
+ ip6.addr = r6 "dea7";
aliases = [
"mors.r"
"cgit.mors.r"
@@ -190,8 +191,8 @@ in {
-----END RSA PUBLIC KEY-----
'';
};
- wirelum = {
- ip6.addr = (wip6 "dea7").address;
+ wiregrill = {
+ ip6.addr = w6 "dea7";
aliases = [
"mors.w"
];
@@ -207,6 +208,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.4";
+ ip6.addr = r6 "50da";
aliases = [
"shodan.r"
"cgit.shodan.r"
@@ -222,12 +224,12 @@ in {
-----END RSA PUBLIC KEY-----
'';
};
- wirelum = {
- ip6.addr = (wip6 "50da").address;
+ wiregrill = {
+ ip6.addr = w6 "50da";
aliases = [
"shodan.w"
];
- wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ=";
+ wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30=";
};
};
secure = true;
@@ -239,6 +241,7 @@ in {
nets = rec {
retiolum = {
ip4.addr = "10.243.133.114";
+ ip6.addr = r6 "1205";
aliases = [
"icarus.r"
"cgit.icarus.r"
@@ -254,8 +257,8 @@ in {
-----END RSA PUBLIC KEY-----
'';
};
- wirelum = {
- ip6.addr = (wip6 "1205").address;
+ wiregrill = {
+ ip6.addr = w6 "1205";
aliases = [
"icarus.w"
];
@@ -271,6 +274,7 @@ in {
nets = rec {
retiolum = {
ip4.addr = "10.243.133.115";
+ ip6.addr = r6 "dead";
aliases = [
"daedalus.r"
"cgit.daedalus.r"
@@ -296,6 +300,7 @@ in {
nets = rec {
retiolum = {
ip4.addr = "10.243.133.116";
+ ip6.addr = r6 "5ce7";
aliases = [
"skynet.r"
"cgit.skynet.r"
@@ -321,6 +326,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.133.77";
+ ip6.addr = r6 "771e";
aliases = [
"littleT.r"
];
@@ -356,52 +362,13 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
};
- xerxes = {
- cores = 2;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.1.3";
- aliases = [
- "xerxes.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
- MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
- gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
- /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
- mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
- X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
- +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
- hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
- 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
- H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
- JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
- hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
- SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
- 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
- vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
- Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
- scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
- jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
- Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
- /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
- bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
- sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- secure = true;
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
- };
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
+ ip6.addr = r6 "12ed";
aliases = [
"red.r"
];
@@ -431,6 +398,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
+ ip6.addr = r6 "3110";
aliases = [
"yellow.r"
];
@@ -451,8 +419,8 @@ in {
-----END PUBLIC KEY-----
'';
};
- wirelum = {
- ip6.addr = (wip6 "e110").address;
+ wiregrill = {
+ ip6.addr = w6 "3110";
aliases = [
"yellow.w"
];
@@ -467,6 +435,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
+ ip6.addr = r6 "b1ce";
aliases = [
"blue.r"
];
@@ -487,15 +456,22 @@ in {
-----END PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "b1ce";
+ aliases = [
+ "blue.w"
+ ];
+ wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U=";
+ };
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
phone = {
nets = {
- wirelum = {
- ip6.addr = (wip6 "a").address;
+ wiregrill = {
ip4.addr = "10.244.1.2";
+ ip6.addr = w6 "a";
aliases = [
"phone.w"
];
@@ -510,6 +486,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.19";
+ ip6.addr = r6 "012f";
aliases = [
"morpheus.r"
];
@@ -529,6 +506,13 @@ in {
-----END RSA PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "012f";
+ aliases = [
+ "morpheus.w"
+ ];
+ wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY=";
+ };
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index d6c1f0b61..befec2156 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -551,27 +551,28 @@ in {
ci = true;
extraZones = {
"krebsco.de" = ''
+ boot.euer IN A ${nets.internet.ip4.addr}
cache.euer IN A ${nets.internet.ip4.addr}
cache.gum IN A ${nets.internet.ip4.addr}
- graph IN A ${nets.internet.ip4.addr}
+ cgit.euer IN A ${nets.internet.ip4.addr}
+ dl.euer IN A ${nets.internet.ip4.addr}
+ dockerhub IN A ${nets.internet.ip4.addr}
+ euer IN A ${nets.internet.ip4.addr}
+ ghook IN A ${nets.internet.ip4.addr}
+ git.euer IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
+ graph IN A ${nets.internet.ip4.addr}
+ gum IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
- wg.euer IN A ${nets.internet.ip4.addr}
- photostore IN A ${nets.internet.ip4.addr}
- o.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
- boot.euer IN A ${nets.internet.ip4.addr}
- wiki.euer IN A ${nets.internet.ip4.addr}
+ netdata.euer IN A ${nets.internet.ip4.addr}
+ o.euer IN A ${nets.internet.ip4.addr}
+ photostore IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
- cgit.euer IN A ${nets.internet.ip4.addr}
- git.euer IN A ${nets.internet.ip4.addr}
- euer IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
- gum IN A ${nets.internet.ip4.addr}
+ wg.euer IN A ${nets.internet.ip4.addr}
+ wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
- dl.euer IN A ${nets.internet.ip4.addr}
- ghook IN A ${nets.internet.ip4.addr}
- dockerhub IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
@@ -596,24 +597,25 @@ in {
via = internet;
ip4.addr = "10.243.0.213";
aliases = [
- "nextgum.r"
- "graph.r"
- "cache.gum.r"
- "logs.makefu.r"
- "stats.makefu.r"
"backup.makefu.r"
+ "blog.gum.r"
+ "blog.makefu.r"
+ "cache.gum.r"
+ "cgit.gum.r"
+ "dcpp.gum.r"
"dcpp.nextgum.r"
+ "graph.r"
"gum.r"
- "cgit.gum.r"
+ "logs.makefu.r"
+ "netdata.makefu.r"
+ "nextgum.r"
"o.gum.r"
- "tracker.makefu.r"
"search.makefu.r"
- "wiki.makefu.r"
- "wiki.gum.r"
- "blog.makefu.r"
- "blog.gum.r"
- "dcpp.gum.r"
+ "stats.makefu.r"
"torrent.gum.r"
+ "tracker.makefu.r"
+ "wiki.gum.r"
+ "wiki.makefu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/makefu/ssh/ulrich.pub b/krebs/3modules/makefu/ssh/ulrich.pub
index 88313ee7c..8ac69004c 100644
--- a/krebs/3modules/makefu/ssh/ulrich.pub
+++ b/krebs/3modules/makefu/ssh/ulrich.pub
@@ -1 +1 @@
-AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de