diff options
| -rw-r--r-- | krebs/3modules/lass/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/tv/default.nix | 142 | ||||
| -rw-r--r-- | krebs/4lib/types.nix | 23 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix | 8 | ||||
| -rw-r--r-- | tv/1systems/caxi.nix | 25 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix | 76 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix | 76 | ||||
| -rw-r--r-- | tv/2configs/nginx/default.nix | 4 |
8 files changed, 104 insertions, 251 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index d2542041f..08e8995fa 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -91,6 +91,7 @@ with config.krebs.lib; "prism.retiolum" "prism.r" "cgit.prism.retiolum" + "cgit.prism.r" "cache.prism.r" ]; tinc.pubkey = '' diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index efba1bc24..2d18a7e8d 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -7,19 +7,61 @@ with config.krebs.lib; "viljetic.de" = "regfish"; }; hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { - cd = rec { + caxi = { + cores = 2; + extraZones = { + "krebsco.de" = '' + caxi 60 IN A ${config.krebs.hosts.caxi.nets.internet.ip4.addr} + ''; + }; + nets = { + internet = { + ip4 = { + addr = "104.233.124.70"; + prefix = "104.233.124.0/24"; + }; + aliases = [ + "caxi.i" + "caxi.krebsco.de" + ]; + ssh.port = 11423; + }; + retiolum = { + via = config.krebs.hosts.caxi.nets.internet; + ip4.addr = "10.243.113.226"; + ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af6"; + aliases = [ + "caxi.r" + "caxi.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxNh1xhvCFzjUOmBq+F6NjUdntKh/7qo7LrsXjPVn92r1hGTVHJO1 + E+XP5dabZ/mFWySY8GvG7XlZ27wsjkvHEyb16IhOqYrnaONf9LifAWQ3qBlHtp1T + eZeP6wcXLhR/pOPy0pT6EABmDHbOzErjYv4pdrXHuxlM10Ljtpp3mClNeXY9eby+ + HekEE8LY8/zWqJ90lMaxPhLh1VqEvTVTnem5e1F8HDzNvRWa0kWUYG33zPQMyKgR + BCvp1DR7Y2LwDmGKnhzBm4JTcP+fcs+z/eGie/CEIgFM0BFJaTBAYZOtUlhBSe0y + UYE2W9CJkPN2Uepf53nPnshjKC64fgTr7wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdJ4xGi+qn4IfMZJ3Kv7AGZGbhlR+GrkD87z2tcyRZy"; + }; + cd = { cores = 2; extraZones = { # TODO generate krebsco.de zone from nets and don't use extraZones at all "krebsco.de" = '' krebsco.de. 60 IN MX 5 mx23 - mx23 60 IN A ${nets.internet.ip4.addr} - cd 60 IN A ${nets.internet.ip4.addr} - cgit 60 IN A ${nets.internet.ip4.addr} - cgit.cd 60 IN A ${nets.internet.ip4.addr} + mx23 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} + cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} + cgit 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} + cgit.cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} ''; }; - nets = rec { + nets = { internet = { ip4.addr = "45.62.237.203"; aliases = [ @@ -33,7 +75,7 @@ with config.krebs.lib; ssh.port = 11423; }; retiolum = { - via = internet; + via = config.krebs.hosts.cd.nets.internet; ip4.addr = "10.243.113.222"; ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af3"; aliases = [ @@ -96,49 +138,14 @@ with config.krebs.lib; }; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM6dL0fQ8Bd0hER0Xa3I2pAWVHdnwOBaAZhbDlLJmUu"; }; - mkdir = rec { - cores = 1; - nets = rec { - internet = { - ip4.addr = "104.167.114.142"; - aliases = [ - "mkdir.i" - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.113.223"; - ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af4"; - aliases = [ - "mkdir.r" - "mkdir.retiolum" - "cgit.mkdir.r" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; - }; - ire = rec { + ire = { extraZones = { # TODO generate krebsco.de zone from nets and don't use extraZones at all "krebsco.de" = '' - ire 60 IN A ${nets.internet.ip4.addr} + ire 60 IN A ${config.krebs.hosts.ire.nets.internet.ip4.addr} ''; }; - nets = rec { + nets = { internet = { ip4.addr = "198.147.22.115"; aliases = [ @@ -149,7 +156,7 @@ with config.krebs.lib; ssh.port = 11423; }; retiolum = { - via = internet; + via = config.krebs.hosts.ire.nets.internet; ip4.addr = "10.243.231.66"; ip6.addr = "42:b912:0f42:a82d:0d27:8610:e89b:490c"; aliases = [ @@ -229,7 +236,7 @@ with config.krebs.lib; }; nomic = { cores = 2; - nets = rec { + nets = { gg23 = { ip4.addr = "10.23.1.110"; aliases = ["nomic.gg23"]; @@ -268,41 +275,6 @@ with config.krebs.lib; }; }; }; - rmdir = rec { - cores = 1; - nets = rec { - internet = { - ip4.addr = "167.88.34.182"; - aliases = [ - "rmdir.i" - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.113.224"; - ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5"; - aliases = [ - "rmdir.r" - "rmdir.retiolum" - "cgit.rmdir.r" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4"; - }; schnabeldrucker = { nets = { gg23 = { @@ -387,7 +359,7 @@ with config.krebs.lib; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu"; }; }; - users = rec { + users = { mv = { mail = "mv@cd.r"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"; @@ -399,11 +371,11 @@ with config.krebs.lib; uid = 1337; # TODO use default and document what has to be done (for vv) }; tv-nomic = { - inherit (tv) mail; + inherit (config.krebs.users.tv) mail; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3dYR/n4Yw8OsYmfR2rSUG7o10G6AqOlSJHuHSEmANbMkqjiWl1TnpORtt5bAktyAGI4vWf9vhNEnxuIqGXWSV+3yCd7yfBHR1m0Y9QSw6blQ0xc1venl3JU0kpEyJfUn8a9cdXlnRiS0MP1gcsN7Zk8cqBELJYJajkSEnsT4eVaU5/wdnyzUO1fk8D8tFBJbF/tsWDLJPu4P18rpxq4wZgA2qmyHoVDEVlrz2OYcziXT6gpG0JGnToteaNg9ok5QavEYFpp8P+k1AacrBjc1PAb4MaMX1nfkSyaZwSqLdH35XkNRgPhVVmqZ5PlG3VeNpPSwpdcKi8P3zH1xG9g6Usx1SAyvcoAyGHdOwmFuA2tc1HgYEiQ+OsPrHZHujBOOZsKTN9+IZHScCAe+UmUcK413WEZKPs8PeFjf1gQAoDXb55JpksxLAnC/SQOl4FhkctIAXxr12ALlyt9UFPzIoj/Nj2MpFzGSlf653fTFmnMbQ8+GICc4TUpqx5GELZhfQuprBTv/55a9zKvM4B8XT3Bn9olQzMQIXEjXb3WUVFDDNWeNydToorYn1wG3ZWQ+3f0IlqRicWO7Q9BRj1Lp5rcUCb+naJ48tGY6HFUZ1Kz/0x458GDFvUd8mCJjqqmeSkUEeZd0xet5tVFg/bYoSslEqPF6pz7V3ruJMSdYxnQ== tv@nomic #2"; }; tv-xu = { - inherit (tv) mail; + inherit (config.krebs.users.tv) mail; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/3nkqxe8YrDVt615n96A7iC3vvwsiqgpsBYC/bhwfBHu1bAtBmTWVqSKDIdwg7p8TQpIKtAgZ3IJT3BlrnVTeR4RIviLjHjYWW1NBhm+nXi+heThgi5fLciE3lVLVsy5X9Kc1ZPLgLa1In0REOanwbueOD0ESN1yKIDwUUdczw/o3dLDMzanqFHKuSSN4o9Ex2x+MRj9eLsb706s4VSYMo3lirRCJeAOGv1C7Xg1cuepdhIeJsq9aF7vSy15c0nCkWwr8zdY7pbMPYCe5zvIEymZ0UowZ5HQ3NmIZnYDxa4E1PFjDczHdQbVmmGMI80grNwMsHzQ6bynHSPXDoLf4WodXlhS0+9Ju5QavDT6uqZ9uhDBuWC8QNgWUMIJnEaTBFyA0OI1akl8Q2RLC+qnNf5IwItSq+GDwEsB2ZJNW3kOk1kNiCUrBafRYpPaFeP97wzzP4uYlBKAr2SOLrrkf7NFEdw2ihxhDMNnps/ErRJ8U0zdpmalw8mItGyqRULpHjk/wN00rYOdBIhW3G3QJuVgtGnWtGCBG5x70EfMiSEXPD3YSsVVsgKD+v8qr+YiilRRD+N3gaHhiOWA6HgxRNul/P4llk0ktTpb9LoHk2+oooTH5ZuuT/8yF8J4stZt7EIOH+mSOAXG1z0BwnEkQu7pVKwu/oOZpGJTvBrGwww== tv@xu"; }; vv = { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 0d5b51f76..aa7b7a9f5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -76,7 +76,6 @@ types // rec { default = optional (config.ip4 != null) config.ip4.addr ++ optional (config.ip6 != null) config.ip6.addr; - readOnly = true; }; aliases = mkOption { # TODO nonEmptyListOf hostname @@ -162,11 +161,21 @@ types // rec { secret-file = submodule ({ config, ... }: { options = { - path = mkOption { type = str; }; - mode = mkOption { type = file-mode; default = "0400"; }; + name = mkOption { + type = filename; + default = config._module.args.name; + }; + path = mkOption { + type = absolute-pathname; + default = "/run/keys/${config.name}"; + }; + mode = mkOption { + type = file-mode; + default = "0400"; + }; owner = mkOption { type = user; - default = config.krebs.users.root; + default = users.root; }; group-name = mkOption { type = str; @@ -174,7 +183,7 @@ types // rec { }; source-path = mkOption { type = str; - default = toString <secrets> + "/${config._module.args.name}"; + default = toString <secrets> + "/${config.name}"; }; }; }); @@ -342,7 +351,9 @@ types // rec { absolute-pathname = mkOptionType { name = "POSIX absolute pathname"; check = x: let xs = splitString "/" x; xa = head xs; in - isString x && (xa == "/" || (xa == "" && all filename.check (tail xs))); + isString x + && stringLength x > 0 + && (xa == "/" || (xa == "" && all filename.check (tail xs))); merge = mergeOneOption; }; diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index f0bda0ee1..cdab64212 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -38,14 +38,6 @@ with config.krebs.lib; ReaktorPlugins = callPackage ./Reaktor/plugins.nix {}; - buildbot = callPackage <nixpkgs/pkgs/development/tools/build-managers/buildbot> { - inherit (pkgs.pythonPackages) twisted jinja2; - dateutil = pkgs.pythonPackages.dateutil_1_5; - sqlalchemy_migrate_0_7 = pkgs.pythonPackages.sqlalchemy_migrate_func (pkgs.pythonPackages.sqlalchemy7.override { - doCheck = false; - }); - }; - # XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d symlinkJoin = { name, paths, ... }@args: let x = pkgs.symlinkJoin args; diff --git a/tv/1systems/caxi.nix b/tv/1systems/caxi.nix new file mode 100644 index 000000000..5bfacd992 --- /dev/null +++ b/tv/1systems/caxi.nix @@ -0,0 +1,25 @@ +{ config, ... }: + +with config.krebs.lib; + +{ + krebs.build.host = config.krebs.hosts.caxi; + + imports = [ + ../. + ../2configs/hw/CAC-Developer-1.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/retiolum.nix + ]; + + networking = let + inherit (config.krebs.build.host.nets.internet) ip4; + in { + interfaces.enp2s1.ip4 = singleton { + address = ip4.addr; + prefixLength = fromJSON (head (match ".*/([0-9]+)" ip4.prefix)); + }; + defaultGateway = head (match "([^/]*)\.0/[0-9]+" ip4.prefix) + ".1"; + nameservers = ["8.8.8.8"]; + }; +} diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix deleted file mode 100644 index dcec1e200..000000000 --- a/tv/1systems/mkdir.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - # TODO merge with lass - getDefaultGateway = ip: - concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - - primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr; -in - -{ - krebs.build.host = config.krebs.hosts.mkdir; - - imports = [ - ../. - ../2configs/hw/CAC-Developer-1.nix - ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/exim-smarthost.nix - ../2configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-tcp = [ - "ssh" - "tinc" - "smtp" - ]; - input-retiolum-accept-tcp = [ - "http" - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - networking.interfaces.enp2s1.ip4 = [ - { - address = primary-addr4; - prefixLength = 24; - } - ]; - - # TODO define gateway in krebs/3modules/default.nix - networking.defaultGateway = getDefaultGateway primary-addr4; - - networking.nameservers = [ - "8.8.8.8" - ]; - - environment.systemPackages = with pkgs; [ - htop - iftop - iotop - iptables - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; -} diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix deleted file mode 100644 index 34f926020..000000000 --- a/tv/1systems/rmdir.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - # TODO merge with lass - getDefaultGateway = ip: - concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - - primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr; -in - -{ - krebs.build.host = config.krebs.hosts.rmdir; - - imports = [ - ../. - ../2configs/hw/CAC-Developer-1.nix - ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/exim-smarthost.nix - ../2configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-tcp = [ - "ssh" - "tinc" - "smtp" - ]; - input-retiolum-accept-tcp = [ - "http" - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "mkdir" - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - networking.interfaces.enp2s1.ip4 = [ - { - address = primary-addr4; - prefixLength = 24; - } - ]; - # TODO define gateway in krebs/3modules/default.nix - networking.defaultGateway = getDefaultGateway primary-addr4; - - networking.nameservers = [ - "8.8.8.8" - ]; - - environment.systemPackages = with pkgs; [ - htop - iftop - iotop - iptables - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; -} diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index d0d07d5ca..70e25e2e5 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,10 @@ with config.krebs.lib; { krebs.nginx = { + extraConfig = '' + events { + } + ''; servers.default.locations = [ (nameValuePair "= /etc/os-release" '' default_type text/plain; |