diff options
43 files changed, 781 insertions, 557 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3d54900e4..b4686894e 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -8,15 +8,15 @@ with config.krebs.lib; cores = 4; nets = rec { internet = { - addrs4 = ["144.76.172.188"]; + ip4.addr = "144.76.172.188"; aliases = [ "dishfire.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.133.99"]; - addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; + ip4.addr = "10.243.133.99"; + ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233"; aliases = [ "dishfire.retiolum" "dishfire.r" @@ -40,15 +40,15 @@ with config.krebs.lib; cores = 2; nets = rec { internet = { - addrs4 = ["162.252.241.33"]; + ip4.addr = "162.252.241.33"; aliases = [ "echelon.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.206.103"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f763"]; + ip4.addr = "10.243.206.103"; + ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763"; aliases = [ "echelon.retiolum" "echelon.r" @@ -75,15 +75,15 @@ with config.krebs.lib; cores = 4; nets = rec { internet = { - addrs4 = ["213.239.205.240"]; + ip4.addr = "213.239.205.240"; aliases = [ "prism.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.0.103"]; - addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; + ip4.addr = "10.243.0.103"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab"; aliases = [ "prism.retiolum" "prism.r" @@ -107,15 +107,15 @@ with config.krebs.lib; fastpoke = { nets = rec { internet = { - addrs4 = ["193.22.164.36"]; + ip4.addr = "193.22.164.36"; aliases = [ "fastpoke.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.253.152"]; - addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; + ip4.addr = "10.243.253.152"; + ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00"; aliases = [ "fastpoke.retiolum" "fastpoke.r" @@ -139,15 +139,15 @@ with config.krebs.lib; cores = 1; nets = rec { internet = { - addrs4 = ["104.167.113.104"]; + ip4.addr = "104.167.113.104"; aliases = [ "cloudkrebs.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.206.102"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + ip4.addr = "10.243.206.102"; + ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f762"; aliases = [ "cloudkrebs.retiolum" "cloudkrebs.r" @@ -172,12 +172,12 @@ with config.krebs.lib; cores = 1; nets = { gg23 = { - addrs4 = ["10.23.1.12"]; + ip4.addr = "10.23.1.12"; aliases = ["uriel.gg23"]; }; retiolum = { - addrs4 = ["10.243.81.176"]; - addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + ip4.addr = "10.243.81.176"; + ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"; aliases = [ "uriel.retiolum" "uriel.r" @@ -203,12 +203,12 @@ with config.krebs.lib; cores = 2; nets = { gg23 = { - addrs4 = ["10.23.1.11"]; + ip4.addr = "10.23.1.11"; aliases = ["mors.gg23"]; }; retiolum = { - addrs4 = ["10.243.0.2"]; - addrs6 = ["42:0:0:0:0:0:0:dea7"]; + ip4.addr = "10.243.0.2"; + ip6.addr = "42:0:0:0:0:0:0:dea7"; aliases = [ "mors.retiolum" "mors.r" @@ -234,8 +234,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.3"]; - addrs6 = ["42:0:0:0:0:0:0:7105"]; + ip4.addr = "10.243.0.3"; + ip6.addr = "42:0:0:0:0:0:0:7105"; aliases = [ "helios.retiolum" "helios.r" diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index bd7c0db48..814e6929b 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.0.210"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; + ip4.addr = "10.243.0.210"; + ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001"; aliases = [ "pnp.retiolum" "cgit.pnp.retiolum" @@ -31,8 +31,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.0.84"]; - addrs6 = ["42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"]; + ip4.addr = "10.243.0.84"; + ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"; aliases = [ "darth.retiolum" "darth.r" @@ -54,8 +54,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.0.212"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; + ip4.addr = "10.243.0.212"; + ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002"; aliases = [ "tsp.retiolum" ]; @@ -81,8 +81,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.91"]; - addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; + ip4.addr = "10.243.0.91"; + ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"; aliases = [ "pornocauster.retiolum" "pornocauster.r" @@ -108,8 +108,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.1.91"]; - addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"]; + ip4.addr = "10.243.1.91"; + ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400"; aliases = [ "vbob.retiolum" ]; @@ -135,22 +135,22 @@ with config.krebs.lib; extraZones = { "krebsco.de" = '' euer IN MX 1 aspmx.l.google.com. - pigstarter IN A ${head nets.internet.addrs4} - gold IN A ${head nets.internet.addrs4} - boot IN A ${head nets.internet.addrs4} + pigstarter IN A ${nets.internet.ip4.addr} + gold IN A ${nets.internet.ip4.addr} + boot IN A ${nets.internet.ip4.addr} ''; }; nets = { internet = { - addrs4 = ["192.40.56.122"]; - addrs6 = ["2604:2880::841f:72c"]; + ip4.addr = "192.40.56.122"; + ip6.addr = "2604:2880::841f:72c"; aliases = [ "pigstarter.internet" ]; }; retiolum = { - addrs4 = ["10.243.0.153"]; - addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"]; + ip4.addr = "10.243.0.153"; + ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110"; aliases = [ "pigstarter.retiolum" ]; @@ -171,18 +171,18 @@ with config.krebs.lib; cores = 1; extraZones = { "krebsco.de" = '' - euer IN A ${head nets.internet.addrs4} - wiki.euer IN A ${head nets.internet.addrs4} - wry IN A ${head nets.internet.addrs4} + euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} + wry IN A ${nets.internet.ip4.addr} io IN NS wry.krebsco.de. - graphs IN A ${head nets.internet.addrs4} - paste 60 IN A ${head nets.internet.addrs4} - tinc IN A ${head nets.internet.addrs4} + graphs IN A ${nets.internet.ip4.addr} + paste 60 IN A ${nets.internet.ip4.addr} + tinc IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["104.233.87.86"]; + ip4.addr = "104.233.87.86"; aliases = [ "wry.internet" "paste.internet" @@ -190,8 +190,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.29.169"]; - addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; + ip4.addr = "10.243.29.169"; + ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; aliases = [ "graphs.wry.retiolum" "graphs.retiolum" @@ -228,8 +228,8 @@ with config.krebs.lib; nets = { retiolum = { - addrs4 = ["10.243.153.102"]; - addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"]; + ip4.addr = "10.243.153.102"; + ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; aliases = [ "filepimp.retiolum" ]; @@ -252,8 +252,8 @@ with config.krebs.lib; nets = { retiolum = { - addrs4 = ["10.243.0.89"]; - addrs6 = ["42:f9f0::10"]; + ip4.addr = "10.243.0.89"; + ip6.addr = "42:f9f0::10"; aliases = [ "omo.retiolum" "omo.r" @@ -277,8 +277,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.214.15"]; - addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; + ip4.addr = "10.243.214.15"; + ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"; aliases = [ "wbob.retiolum" ]; @@ -301,24 +301,24 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB extraZones = { "krebsco.de" = '' - share.euer IN A ${head nets.internet.addrs4} - mattermost.euer IN A ${head nets.internet.addrs4} - git.euer IN A ${head nets.internet.addrs4} - gum IN A ${head nets.internet.addrs4} - cgit.euer IN A ${head nets.internet.addrs4} + share.euer IN A ${nets.internet.ip4.addr} + mattermost.euer IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["195.154.108.70"]; + ip4.addr = "195.154.108.70"; aliases = [ "gum.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.0.211"]; - addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"]; + ip4.addr = "10.243.0.211"; + ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2"; aliases = [ "gum.r" "gum.retiolum" @@ -346,20 +346,20 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; extraZones = { "krebsco.de" = '' - mediengewitter IN A ${head nets.internet.addrs4} - flap IN A ${head nets.internet.addrs4} + mediengewitter IN A ${nets.internet.ip4.addr} + flap IN A ${nets.internet.ip4.addr} ''; }; nets = { internet = { - addrs4 = ["162.248.11.162"]; + ip4.addr = "162.248.11.162"; aliases = [ "flap.internet" ]; }; retiolum = { - addrs4 = ["10.243.211.172"]; - addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"]; + ip4.addr = "10.243.211.172"; + ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d"; aliases = [ "flap.retiolum" "flap.r" @@ -382,8 +382,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.231.219"]; - addrs6 = ["42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"]; + ip4.addr = "10.243.231.219"; + ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"; aliases = [ "nukular.r" ]; @@ -405,8 +405,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.124.21"]; - addrs6 = ["42:9898:a8be:ce56:0ee3:b99c:42c5:109e"]; + ip4.addr = "10.243.124.21"; + ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e"; aliases = [ "heidi.r" ]; @@ -428,7 +428,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.69.184"]; + ip4.addr = "10.243.69.184"; aliases = [ "soundflower.r" ]; @@ -450,7 +450,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.120.19"]; + ip4.addr = "10.243.120.19"; aliases = [ "falk.r" ]; @@ -472,8 +472,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 4; nets = { retiolum = { - addrs4 = ["10.243.189.130"]; - addrs6 = ["42:c64e:011f:9755:31e1:c3e6:73c0:af2d"]; + ip4.addr = "10.243.189.130"; + ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d"; aliases = [ "filebitch.r" ]; @@ -495,8 +495,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.26.29"]; - addrs6 = ["42:927a:3d59:1cb3:29d6:1a08:78d3:812e"]; + ip4.addr = "10.243.26.29"; + ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e"; aliases = [ "excobridge.r" ]; @@ -518,14 +518,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { internet = { - addrs4 = ["148.251.47.69"]; + ip4.addr = "148.251.47.69"; aliases = [ "wooki.internet" ]; }; retiolum = { - addrs4 = ["10.243.57.85"]; - addrs6 = ["42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"]; + ip4.addr = "10.243.57.85"; + ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"; aliases = [ "wooki.r" ]; @@ -547,8 +547,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.163"]; - addrs6 = ["42:b67b:5752:a730:5f28:d80d:6b37:5bda/128"]; + ip4.addr = "10.243.0.163"; + ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda"; aliases = [ "senderechner.r" ]; @@ -570,14 +570,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { internet = { - addrs4 = ["217.160.206.154"]; + ip4.addr = "217.160.206.154"; aliases = [ "muhbaasu.internet" ]; }; retiolum = { - addrs4 = ["10.243.139.184"]; - addrs6 = ["42:d568:6106:ba30:753b:0f2a:8225:b1fb"]; + ip4.addr = "10.243.139.184"; + ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb"; aliases = [ "muhbaasu.r" ]; diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 9a5866294..a03f7ff4d 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.111.112"]; - addrs6 = ["42:0:0:0:0:0:111:112"]; + ip4.addr = "10.243.111.112"; + ip6.addr = "42:0:0:0:0:0:111:112"; aliases = [ "bobby.retiolum" "cgit.bobby.retiolum" diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 3b4001e7a..20118c61f 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.111.111"]; - addrs6 = ["42:0:0:0:0:0:111:111"]; + ip4.addr = "10.243.111.111"; + ip6.addr = "42:0:0:0:0:0:111:111"; aliases = [ "stro.retiolum" "cgit.stro.retiolum" diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 816c2ff69..6af93a570 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -117,28 +117,24 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: - let - _extraConfig = if ssl.enable then - extraConfig + '' - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '' - else - extraConfig - ; - - in '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} - server_name ${toString server-names}; - ${indent _extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + server { + server_name ${toString server-names}; + ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} + ${optionalString ssl.enable (indent '' + listen 443 ssl; + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} + ${indent extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 61b4473e1..5aaeb5a30 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -11,26 +11,13 @@ let api = { enable = mkEnableOption "krebs.retiolum"; - name = mkOption { - type = types.str; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; + host = mkOption { + type = types.host; + default = config.krebs.build.host; }; netname = mkOption { - type = types.str; + type = types.enum (attrNames cfg.host.nets); default = "retiolum"; description = '' The tinc network name. @@ -99,17 +86,13 @@ let description = "Iproute2 package to use."; }; - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = toString <secrets/retiolum.rsa_key.priv>; - description = '' - Generate file with <literal>tincd -K</literal>. - This file must exist on the local system. The default points to - <secrets/retiolum.rsa_key.priv>. - ''; + privkey = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/tinc.rsa_key.priv"; + owner = cfg.user; + source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv"; + }; }; connectTo = mkOption { @@ -122,81 +105,67 @@ let ''; }; + user = mkOption { + type = types.user; + default = { + name = cfg.netname; + home = "/var/lib/${cfg.user.name}"; + }; + }; }; imp = { + krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; + environment.systemPackages = [ tinc iproute ]; - systemd.services.retiolum = { + systemd.services.${cfg.netname} = { description = "Tinc daemon for Retiolum"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; path = [ tinc iproute ]; serviceConfig = rec { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = "retiolum"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = cfg.netname; }; }; - users.extraUsers = singleton { - inherit (user) name uid; + users.users.${cfg.user.name} = { + inherit (cfg.user) home name uid; + createHome = true; }; }; - user = rec { - name = "retiolum"; - uid = genid name; - }; + net = cfg.host.nets.${cfg.netname}; tinc = cfg.tincPackage; iproute = cfg.iproutePackage; - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${cfg.hostsPackage} $out/hosts - - cat > $out/tinc.conf <<EOF - Name = ${cfg.name} - Device = /dev/net/tun - Interface = ${cfg.netname} - ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)} - PrivateKeyFile = /tmp/retiolum-rsa_key.priv - ${cfg.extraConfig} - EOF - - # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up - cat > $out/tinc-up <<EOF - host=$out/hosts/${cfg.name} - ${iproute}/sbin/ip link set \$INTERFACE up - - addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host) - if [ -n "\$addr4" ];then - ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE - ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE - fi - addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host) - ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE - ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE - EOF - - chmod +x $out/tinc-up - ''; + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${cfg.netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeScript "${cfg.netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${cfg.netname} up + ${optionalString (net.ip4 != null) '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname} + ''} + ${optionalString (net.ip6 != null) '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname} + ''} + ''; + }); in out diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index ccd15b569..47767d370 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -12,8 +12,8 @@ let cores = 1; nets = { retiolum = { - addrs4 = ["10.243.111.111"]; - addrs6 = ["42:0:0:0:0:0:0:7357"]; + ip4.addr = "10.243.111.111"; + ip6.addr = "42:0:0:0:0:0:0:7357"; aliases = [ "test.r" "test.retiolum" @@ -36,7 +36,7 @@ in { wolf = { nets = { shack = { - addrs4 = [ "10.42.2.150" ]; + ip4.addr = "10.42.2.150" ; aliases = [ "wolf.shack" "graphite.shack" @@ -45,8 +45,8 @@ in { ]; }; retiolum = { - addrs4 = ["10.243.77.1"]; - addrs6 = ["42:0:0:0:0:0:77:1"]; + ip4.addr = "10.243.77.1"; + ip6.addr = "42:0:0:0:0:0:77:1"; aliases = [ "wolf.retiolum" "cgit.wolf.retiolum" diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 13d3163c0..b0f0ce547 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -13,15 +13,15 @@ with config.krebs.lib; # TODO generate krebsco.de zone from nets and don't use extraZones at all "krebsco.de" = '' krebsco.de. 60 IN MX 5 mx23 - mx23 60 IN A ${elemAt nets.internet.addrs4 0} - cd 60 IN A ${elemAt nets.internet.addrs4 0} - cgit 60 IN A ${elemAt nets.internet.addrs4 0} - cgit.cd 60 IN A ${elemAt nets.internet.addrs4 0} + mx23 60 IN A ${nets.internet.ip4.addr} + cd 60 IN A ${nets.internet.ip4.addr} + cgit 60 IN A ${nets.internet.ip4.addr} + cgit.cd 60 IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["162.219.7.216"]; + ip4.addr = "162.219.7.216"; aliases = [ "cd.i" "cd.internet" @@ -34,8 +34,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + ip4.addr = "10.243.113.222"; + ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af3"; aliases = [ "cd.r" "cd.retiolum" @@ -62,11 +62,46 @@ with config.krebs.lib; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; + doppelbock = rec { + cores = 2; + nets = rec { + internet = { + ip4.addr = "45.62.237.203"; + aliases = [ + "doppelbock.i" + "doppelbock.internet" + ]; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.113.224"; + ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5"; + aliases = [ + "doppelbock.r" + "doppelbock.retiolum" + "cgit.doppelbock.r" + "cgit.doppelbock.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAq/luvzH4CQX5qRuucUqR3aLwXtzsRmBOdd2hvrPG1z8ML2kKV+IG + 0aBfyJmQ8csfeGhOj0y0LEBv4bkEjEtYObs+LJfdWZC5e39eAVUE0z8QbSPOx4di + /7Bo+9sFRELP1kYb47eLR8quiIkslMWQMbTLM5RHoXJ5jE8fQSitfp4WUZYiSPDF + d5F7RU/ZQfTZuh8gv7RmSn/6N6bXAQWrueK6ZqMuImIjBrmYyXUWxgsDnpeHxR5j + j/0F2Bda5lyp+Qzv24PREdPT8FazUfmIQwZTTArXHxiqLq+SEVT21E4WEf2sJRan + dti9yVUW3eiqpu8b9BRpvxOB3YdkyqlrGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_rsa>; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLhrVTEmbtuTsgRTHHxsLrq7ai1Yt7+oKFevr1gzktCQqHuyucXzxn60F00kuNDkNiKIF5fHmWy6ajU+6PKD3TfiFMagT9ah0x0RSB0+0tevxnlOp6VdHhrdM5YrBduWMiELmOiI1lvYhRqKd/ZE7b2mra6KYe5VtTi9UX3wQp8qN+bI01KCxv0p6ciUgEO8fnwLKDBUuFJ2UfE7Ais9XrXFIBFXB+MKcpLnIXvrV6dSXdUEiaswg8wo0Q0Y3tMaQ0dNJdH2yp3FVn1aiX3E/vVnffmDKMWYWqn78klujdEdmLm8/8NkXnc/jpgu8ZlSpQHECO2ZUJzd35yRnVKALv"; + }; mkdir = rec { cores = 1; nets = rec { internet = { - addrs4 = ["104.167.114.142"]; + ip4.addr = "104.167.114.142"; aliases = [ "mkdir.i" "mkdir.internet" @@ -74,8 +109,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + ip4.addr = "10.243.113.223"; + ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af4"; aliases = [ "mkdir.r" "mkdir.retiolum" @@ -101,12 +136,12 @@ with config.krebs.lib; extraZones = { # TODO generate krebsco.de zone from nets and don't use extraZones at all "krebsco.de" = '' - ire 60 IN A ${elemAt nets.internet.addrs4 0} + ire 60 IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["198.147.22.115"]; + ip4.addr = "198.147.22.115"; aliases = [ "ire.i" "ire.internet" @@ -116,8 +151,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.231.66"]; - addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; + ip4.addr = "10.243.231.66"; + ip6.addr = "42:b912:0f42:a82d:0d27:8610:e89b:490c"; aliases = [ "ire.r" "ire.retiolum" @@ -140,7 +175,7 @@ with config.krebs.lib; kaepsele = { nets = { internet = { - addrs4 = ["92.222.10.169"]; + ip4.addr = "92.222.10.169"; aliases = [ "kaepsele.i" "kaepsele.internet" @@ -148,8 +183,8 @@ with config.krebs.lib; ]; }; retiolum = { - addrs4 = ["10.243.166.2"]; - addrs6 = ["42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d"]; + ip4.addr = "10.243.166.2"; + ip6.addr = "42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d"; aliases = [ "kaepsele.r" "kaepsele.retiolum" @@ -172,8 +207,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.20.1"]; - addrs6 = ["42:0:0:0:0:0:0:2001"]; + ip4.addr = "10.243.20.1"; + ip6.addr = "42:0:0:0:0:0:0:2001"; aliases = [ "mu.r" "mu.retiolum" @@ -197,13 +232,13 @@ with config.krebs.lib; cores = 2; nets = rec { gg23 = { - addrs4 = ["10.23.1.110"]; + ip4.addr = "10.23.1.110"; aliases = ["nomic.gg23"]; ssh.port = 11423; }; retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + ip4.addr = "10.243.0.110"; + ip6.addr = "42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"; aliases = [ "nomic.r" "nomic.retiolum" @@ -229,7 +264,7 @@ with config.krebs.lib; ok = { nets = { gg23 = { - addrs4 = ["10.23.1.1"]; + ip4.addr = "10.23.1.1"; aliases = ["ok.gg23"]; }; }; @@ -238,7 +273,7 @@ with config.krebs.lib; cores = 1; nets = rec { internet = { - addrs4 = ["167.88.34.182"]; + ip4.addr = "167.88.34.182"; aliases = [ "rmdir.i" "rmdir.internet" @@ -246,8 +281,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + ip4.addr = "10.243.113.224"; + ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5"; aliases = [ "rmdir.r" "rmdir.retiolum" @@ -272,7 +307,7 @@ with config.krebs.lib; schnabeldrucker = { nets = { gg23 = { - addrs4 = ["10.23.1.21"]; + ip4.addr = "10.23.1.21"; aliases = ["schnabeldrucker.gg23"]; }; }; @@ -280,7 +315,7 @@ with config.krebs.lib; schnabelscanner = { nets = { gg23 = { - addrs4 = ["10.23.1.22"]; + ip4.addr = "10.23.1.22"; aliases = ["schnabelscanner.gg23"]; }; }; @@ -289,7 +324,7 @@ with config.krebs.lib; cores = 4; nets = { gg23 = { - addrs4 = ["10.23.1.37"]; + ip4.addr = "10.23.1.37"; aliases = [ "wu.gg23" "cache.wu.gg23" @@ -297,8 +332,8 @@ with config.krebs.lib; ssh.port = 11423; }; retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; + ip4.addr = "10.243.13.37"; + ip6.addr = "42:0:0:0:0:0:0:1337"; aliases = [ "wu.r" "wu.retiolum" @@ -325,13 +360,13 @@ with config.krebs.lib; cores = 4; nets = { gg23 = { - addrs4 = ["10.23.1.38"]; + ip4.addr = "10.23.1.38"; aliases = ["xu.gg23"]; ssh.port = 11423; }; retiolum = { - addrs4 = ["10.243.13.38"]; - addrs6 = ["42:0:0:0:0:0:0:1338"]; + ip4.addr = "10.243.13.38"; + ip6.addr = "42:0:0:0:0:0:0:1338"; aliases = [ "xu.r" "xu.retiolum" diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7255dc3e1..f46491801 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -63,28 +63,56 @@ types // rec { net = submodule ({ config, ... }: { options = { + name = mkOption { + type = label; + default = config._module.args.name; + }; via = mkOption { type = nullOr net; default = null; }; addrs = mkOption { type = listOf addr; - default = config.addrs4 ++ config.addrs6; - # TODO only default addrs make sense - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; + default = + optional (config.ip4 != null) config.ip4.addr ++ + optional (config.ip6 != null) config.ip6.addr; + readOnly = true; }; aliases = mkOption { # TODO nonEmptyListOf hostname type = listOf hostname; default = []; }; + ip4 = mkOption { + type = nullOr (submodule { + options = { + addr = mkOption { + type = addr4; + }; + prefix = mkOption ({ + type = str; # TODO routing prefix (CIDR) + } // optionalAttrs (config.name == "retiolum") { + default = "10.243.0.0/16"; + }); + }; + }); + default = null; + }; + ip6 = mkOption { + type = nullOr (submodule { + options = { + addr = mkOption { + type = addr6; + }; + prefix = mkOption ({ + type = str; # TODO routing prefix (CIDR) + } // optionalAttrs (config.name == "retiolum") { + default = "42::/16"; + }); + }; + }); + default = null; + }; ssh = mkOption { type = submodule { options = { @@ -192,10 +220,17 @@ types // rec { check = let IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in concatMapStringsSep "." (const d) (range 1 4); - in x: match IPv4address != null; + in x: match IPv4address x != null; + merge = mergeOneOption; + }; + addr6 = mkOptionType { + name = "IPv6 address"; + check = let + # TODO check IPv6 address harder + IPv6address = "[0-9a-f.:]+"; + in x: match IPv6address x != null; merge = mergeOneOption; }; - addr6 = str; # TODO pgp-pubkey = str; diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 98f509050..636d6a855 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -2,16 +2,14 @@ let inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; - inherit (lib) head; - ip = (head config.krebs.build.host.nets.internet.addrs4); + ip = config.krebs.build.host.nets.internet.ip4.addr; in { imports = [ ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/retiolum.nix - ../2configs/fastpoke-pages.nix ../2configs/git.nix ../2configs/realwallpaper.nix { diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index c7d016cd3..7043809a5 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -26,6 +26,11 @@ fsType = "ext4"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + fileSystems."/boot" = { device = "/dev/vda1"; fsType = "ext4"; diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 2ff6dba70..80611ee80 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -2,9 +2,8 @@ let inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; - inherit (lib) head; - ip = (head config.krebs.build.host.nets.internet.addrs4); + ip = config.krebs.build.host.nets.internet.ip4.addr; in { imports = [ ../. diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1f7a13c56..0d8db212a 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -34,104 +34,6 @@ ]; } { - #static-nginx-test - imports = [ - ../3modules/static_nginx.nix - ]; - lass.staticPage."testserver.de" = { - #sslEnable = true; - #certificate = "${toString <secrets>}/testserver.de/server.cert"; - #certificate_key = "${toString <secrets>}/testserver.de/server.pem"; - ssl = { - enable = true; - certificate = "${toString <secrets>}/testserver.de/server.cert"; - certificate_key = "${toString <secrets>}/testserver.de/server.pem"; - }; - }; - networking.extraHosts = '' - 10.243.0.2 testserver.de - ''; - } - #{ - # #wordpress-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/wordpress_nginx.nix - # ]; - # lass.wordpress."testserver.de" = { - # multiSite = { - # "1" = "testserver.de"; - # "2" = "bla.testserver.de"; - # }; - # }; - - # services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = "<secrets>/mysql_rootPassword"; - # }; - # networking.extraHosts = '' - # 10.243.0.2 testserver.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} - #{ - # #owncloud-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/owncloud_nginx.nix - # ]; - # lass.owncloud."owncloud-test.de" = { - # }; - - # #services.mysql = { - # # enable = true; - # # package = pkgs.mariadb; - # # rootPassword = "<secrets>/mysql_rootPassword"; - # #}; - # networking.extraHosts = '' - # 10.243.0.2 owncloud-test.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} - { - containers.pythonenv = { - config = { - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - - environment = { - systemPackages = with pkgs; [ - git - libxml2 - libxslt - libzip - python27Full - python27Packages.buildout - stdenv - zlib - ]; - - pathsToLink = [ "/include" ]; - - shellInit = '' - # help pip to find libz.so when building lxml - export LIBRARY_PATH=/var/run/current-system/sw/lib - # ditto for header files, e.g. sqlite - export C_INCLUDE_PATH=/var/run/current-system/sw/include - ''; - }; - - }; - }; - } - { services.mysql = { enable = true; package = pkgs.mariadb; @@ -158,15 +60,6 @@ networking.wireless.enable = true; - networking.extraHosts = '' - 213.239.205.240 wohnprojekt-rhh.de - 213.239.205.240 karlaskop.de - 213.239.205.240 makeup.apanowicz.de - 213.239.205.240 pixelpocket.de - 213.239.205.240 reich-gebaeudereinigung.de - 213.239.205.240 o.ubikmedia.de - ''; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -206,7 +99,7 @@ fsType = "ext4"; }; - "/mnt/backups" = { + "/bku" = { device = "/dev/big/backups"; fsType = "ext4"; }; diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 4d40c8d59..09a802b53 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: let - inherit (lib) head; - - ip = (head config.krebs.build.host.nets.internet.addrs4); + ip = config.krebs.build.host.nets.internet.ip4.addr; in { imports = [ ../. @@ -79,6 +77,18 @@ in { device = "/dev/pool/download"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + }; + + fileSystems."/srv/o.ubikmedia.de-data" = { + device = "/dev/pool/owncloud-ubik-data"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; + }; + } { sound.enable = false; @@ -119,7 +129,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQjn/3n283RZkBs2CFqbpukyQ3zkLIjewRpKttPa5d4PUiT7/vOlutWH5EP4BxXQSoeZStx8D2alGjxfK+nfDvRJGGofpm23cN4j4i24Fcam1y1H7wqRXO1qbz5AB3qPg== JuiceSSH" config.krebs.users.lass-uriel.pubkey ]; } @@ -132,7 +142,8 @@ in { ../2configs/websites/domsen.nix ]; krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } { diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 4e4eca21f..8bb2348e6 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -47,6 +47,11 @@ with builtins; fsType = "ext4"; }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + "/boot" = { device = "/dev/sda1"; }; diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..c3275aece --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "04:00"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + }; +} diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8017d4270..ad5df26e8 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -7,10 +7,11 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import <secrets/hashedPasswords.nix>); } { users.extraUsers = { @@ -55,7 +56,7 @@ with config.krebs.lib; stockholm = "/home/lass/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { @@ -85,9 +86,12 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot @@ -108,6 +112,11 @@ with config.krebs.lib; #neat utils krebspaste + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..ccd751413 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..610887621 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -6,5 +6,4 @@ gnupg1 ]; - services.xserver.startGnuPGAgent = true; } diff --git a/lass/2configs/privoxy-retiolum.nix b/lass/2configs/privoxy-retiolum.nix index 3a3641ad8..9059bbac8 100644 --- a/lass/2configs/privoxy-retiolum.nix +++ b/lass/2configs/privoxy-retiolum.nix @@ -1,8 +1,7 @@ { config, lib, ... }: let - r_ip = (head config.krebs.build.host.nets.retiolum.addrs4); - inherit (lib) head; + r_ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..1b62bd977 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,24 +1,36 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + manageCerts + activateACME + ssl + servePage + serveOwncloud + serveWordpress; + +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( ssl "reich-gebaeudereinigung.de" ) + ( servePage "reich-gebaeudereinigung.de" ) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + ( manageCert "karlaskop.de" ) + ( servePage "karlaskop.de" ) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + ( manageCert "makeup.apanowicz.de" ) + ( servePage "makeup.apanowicz.de" ) + + ( manageCert "pixelpocket.de" ) + ( servePage "pixelpocket.de" ) + + ( ssl "o.ubikmedia.de" ) + ( serveOwncloud "o.ubikmedia.de" ) + + ( manageCerts [ "ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ]; services.mysql = { enable = true; @@ -26,10 +38,31 @@ rootPassword = toString (<secrets/mysql_rootPassword>); }; - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; + services.mysqlBackup = { + enable = true; + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + location = "/bku/sql_dumps"; + }; + + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..16a240d7c 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,23 +1,39 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( manageCert "biostase.de" ) + ( servePage "biostase.de" ) + + ( manageCert "gs-maubach.de" ) + ( servePage "gs-maubach.de" ) + + ( manageCert "spielwaren-kern.de" ) + ( servePage "spielwaren-kern.de" ) + + ( manageCert "societyofsimtech.de" ) + ( servePage "societyofsimtech.de" ) - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; - }; + ( manageCert "ttf-kleinaspach.de" ) + ( servePage "ttf-kleinaspach.de" ) + + ( manageCert "edsn.de" ) + ( servePage "edsn.de" ) + + ( manageCert "eab.berkeley.edu" ) + ( servePage "eab.berkeley.edu" ) + + ( manageCert "habsys.de" ) + ( servePage "habsys.de" ) + ]; #lass.owncloud = { # "o.ubikmedia.de" = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..4e3eb071a 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,20 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; + +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl "wohnprojekt-rhh.de" ) + ( servePage "wohnprojekt-rhh.de" ) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix index 6e87e9853..6b5d19615 100644 --- a/lass/3modules/static_nginx.nix +++ b/lass/3modules/static_nginx.nix @@ -54,7 +54,7 @@ let user = config.services.nginx.user; group = config.services.nginx.group; - external-ip = head config.krebs.build.host.nets.internet.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; imp = { krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: { diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index a751a2995..22a8c3c6e 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -1,10 +1,258 @@ -{ lib, ... }: +{ lib, pkgs, ... }: with lib; -{ +rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + manageCert = domain: + { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domain: + { + imports = [ + ( manageCert domain ) + ( activateACME domain ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers."${domain}" = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; + locations = [ + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') + + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + '') + + (nameValuePair "~ \.php(?:$|/)" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + '') + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') + + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 96a5f4854..17b2b5093 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -2,8 +2,8 @@ with config.krebs.lib; let - external-ip = head config.krebs.build.host.nets.internet.addrs4; - internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ ../. diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index edaf1b803..d9f8ded83 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -3,8 +3,8 @@ with config.krebs.lib; let - external-ip = head config.krebs.build.host.nets.internet.addrs4; - internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ ../. diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 125b3dfff..8f51c91dd 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -3,7 +3,7 @@ with config.krebs.lib; let hostname = config.krebs.build.host.name; - external-ip = head config.krebs.build.host.nets.internet.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; in { services.redis.enable = true; diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix index 2e69d167c..d57c91ce8 100644 --- a/makefu/2configs/iodined.nix +++ b/makefu/2configs/iodined.nix @@ -10,7 +10,7 @@ in { enable = true; domain = domain; ip = "172.16.10.1/24"; - extraConfig = "-P ${pw} -l ${pkgs.lib.head config.krebs.build.host.nets.internet.addrs4}"; + extraConfig = "-P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}"; }; } diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix index 9d08f4b9a..137c0b0e3 100644 --- a/makefu/2configs/nginx/euer.blog.nix +++ b/makefu/2configs/nginx/euer.blog.nix @@ -8,8 +8,8 @@ let hostname = config.krebs.build.host.name; user = config.services.nginx.user; group = config.services.nginx.group; - external-ip = head config.krebs.build.host.nets.internet.addrs4; - internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; base-dir = "/var/www/blog.euer"; in { # Prepare Blog directory diff --git a/makefu/2configs/nginx/euer.test.nix b/makefu/2configs/nginx/euer.test.nix index f7214e613..84b9bacda 100644 --- a/makefu/2configs/nginx/euer.test.nix +++ b/makefu/2configs/nginx/euer.test.nix @@ -5,8 +5,8 @@ let hostname = config.krebs.build.host.name; user = config.services.nginx.user; group = config.services.nginx.group; - external-ip = head config.krebs.build.host.nets.internet.addrs4; - internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { krebs.nginx = { enable = mkDefault true; diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index a5572a519..10985c833 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -18,8 +18,8 @@ let # user1 = pass1 # userN = passN tw-pass-file = "${sec}/tw-pass.ini"; - external-ip = head config.krebs.build.host.nets.internet.addrs4; - internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { services.phpfpm = { # phpfpm does not have an enable option diff --git a/makefu/2configs/nginx/update.connector.one.nix b/makefu/2configs/nginx/update.connector.one.nix index ac5e6b17b..dde3e3a64 100644 --- a/makefu/2configs/nginx/update.connector.one.nix +++ b/makefu/2configs/nginx/update.connector.one.nix @@ -3,7 +3,7 @@ with config.krebs.lib; let hostname = config.krebs.build.host.name; - external-ip = head config.krebs.build.host.nets.internet.addrs4; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; in { krebs.nginx = { enable = mkDefault true; diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix index 3a4dd456f..c943e3d9a 100644 --- a/makefu/2configs/omo-share.nix +++ b/makefu/2configs/omo-share.nix @@ -5,7 +5,7 @@ let hostname = config.krebs.build.host.name; # TODO local-ip from the nets config local-ip = "192.168.1.11"; - # local-ip = head config.krebs.build.host.nets.retiolum.addrs4; + # local-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { krebs.nginx = { enable = mkDefault true; diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index f0323dc2f..53334d6f1 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ... }: let - shack-ip = lib.head config.krebs.build.host.nets.shack.addrs4; - internal-ip = lib.head config.krebs.build.host.nets.retiolum.addrs4; + shack-ip = config.krebs.build.host.nets.shack.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ diff --git a/tv/1systems/doppelbock.nix b/tv/1systems/doppelbock.nix new file mode 100644 index 000000000..ec85a7772 --- /dev/null +++ b/tv/1systems/doppelbock.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + krebs.build.host = config.krebs.hosts.doppelbock; + + imports = [ + ../. + ../2configs/hw/CAC-Developer-2.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/retiolum.nix + ]; + + networking = { + interfaces.enp2s1.ip4 = singleton { + address = let + addr = "45.62.237.203"; + in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr; + prefixLength = 24; + }; + defaultGateway = "45.62.237.1"; + nameservers = ["8.8.8.8"]; + }; +} diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 58a8fdcb2..f46ed9547 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -7,12 +7,7 @@ let getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - - primary-addr4 = - builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0; - - #secondary-addr4 = - # builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1; + primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr; in { @@ -55,10 +50,6 @@ in address = primary-addr4; prefixLength = 24; } - #{ - # address = secondary-addr4; - # prefixLength = 24; - #} ]; # TODO define gateway in krebs/3modules/default.nix diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index c54caa649..25fae2c36 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -7,12 +7,7 @@ let getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - - primary-addr4 = - builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0; - - #secondary-addr4 = - # builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1; + primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr; in { diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 280d8572b..2b9ad77d7 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -13,7 +13,7 @@ with config.krebs.lib; "shackspace.de" "viljetic.de" ]; - relay_from_hosts = concatMap (host: host.nets.retiolum.addrs4) [ + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ config.krebs.hosts.nomic config.krebs.hosts.wu config.krebs.hosts.xu diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix index e4d754ff3..1b160926c 100644 --- a/tv/3modules/charybdis/config.nix +++ b/tv/3modules/charybdis/config.nix @@ -56,9 +56,9 @@ in toFile "charybdis.conf" '' /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; + vhost = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr}; /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; + vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr}; /* ssl_private_key: our ssl private key */ ssl_private_key = ${toJSON cfg.ssl_private_key.path}; @@ -160,10 +160,7 @@ in toFile "charybdis.conf" '' /* If you want to listen on a specific IP only, specify host. * host definitions apply only to the following port line. */ - # XXX This is stupid because only one host is allowed[?] - #host = ''${concatMapStringsSep ", " toJSON ( - # config.krebs.build.host.nets.retiolum.addrs - #)}; + #host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr}; port = ${toString cfg.port}; sslport = ${toString cfg.sslport}; }; |