diff options
32 files changed, 626 insertions, 542 deletions
@@ -8,6 +8,9 @@ let imports = [ ./krebs ./krebs/2configs + ({ config, ... }: { + krebs.build.host = config.krebs.hosts.test-all-krebs-modules; + }) ]; }]; } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 2772d8d37..f76d3c536 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -50,6 +50,7 @@ let ./shadow.nix ./ssl.nix ./sync-containers.nix + ./systemd.nix ./tinc.nix ./tinc_graphs.nix ./upstream diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 4eb1d6411..fe149448b 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -24,13 +24,8 @@ let type = types.str; }; private_key = mkOption { - type = types.secret-file; - default = { - name = "exim.dkim_private_key/${config.domain}"; - path = "/run/krebs.secret/${config.domain}.dkim_private_key"; - owner.name = "exim"; - source-path = toString <secrets> + "/${config.domain}.dkim.priv"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/${config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { @@ -111,24 +106,13 @@ let }; imp = { - krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: { - name = "exim.dkim_private_key/${dkim.domain}"; - value = dkim.private_key; - })); - systemd.services = mkIf (cfg.dkim != []) { - exim = { - after = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - partOf = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - }; - }; + krebs.systemd.services.exim = {}; + systemd.services.exim.serviceConfig.LoadCredential = + map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { enable = true; config = /* exim */ '' - keep_environment = + keep_environment = CREDENTIALS_DIRECTORY primary_hostname = ${cfg.primary_hostname} @@ -242,8 +226,9 @@ let ${optionalString (cfg.dkim != []) (indent /* exim */ '' dkim_canon = relaxed dkim_domain = $sender_address_domain - dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} + dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} + dkim_strict = true '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ @@ -281,10 +266,6 @@ let inherit (cfg) internet-aliases; inherit (cfg) system-aliases; } // optionalAttrs (cfg.dkim != []) { - dkim_private_key = flip map cfg.dkim (dkim: { - from = dkim.domain; - to = dkim.private_key.path; - }); dkim_selector = flip map cfg.dkim (dkim: { from = dkim.domain; to = dkim.selector; diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 91ce66742..4a87c3501 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -43,6 +43,7 @@ in { QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== -----END PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN"; }; }; }; @@ -66,8 +67,8 @@ in { PyB9OiK6tN+L63QFM7H1NFN9fPeOd2WbHvfoeX255kx8FHSALKL5rVSz9Ejwc97k rG0FItgHXajPazulBfUV0N9ck7SwLTmStKxtQ8NKCoIJLpv2ip4C+t0CAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = 47fX1g6qynVprA+PtniBLEonFp1B70nMrJ8SBCWNJnL ''; + tinc.pubkey_ed25519 = "47fX1g6qynVprA+PtniBLEonFp1B70nMrJ8SBCWNJnL"; }; }; }; @@ -167,8 +168,8 @@ in { Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = s/HNXjzVyDiBZImQdhJqUmj7symv+po9D9uDj+/6c2F ''; + tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC"; }; }; }; @@ -196,6 +197,7 @@ in { qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ== -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN"; }; }; }; @@ -219,8 +221,8 @@ in { 6mAPiTLI7oFYpWIP0UiM7u4o6iDW9S8G9l+vLZJyEmhEUZJUkWoXRy2Ibd6ix0L3 eA6izpRuehl1OLePY4HNkuqOgXiEf1mgNcoGnyx3kzKYa1cUlMP0ve8CAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = dqJq+qESCNakC3p9duc5LrG26D1scj58Hy1S5kPGtME ''; + tinc.pubkey_ed25519 = "dqJq+qESCNakC3p9duc5LrG26D1scj58Hy1S5kPGtME"; }; }; }; @@ -245,11 +247,38 @@ in { 35bQuqjpFe/bwW1PuK6YspMRK2hQrYkypQNrvjcz0RJJc/1ULILTl0NaZEMtCcj2 t7KpA6wY6WIz5+uTVBnc3vQrcBebfSWzl0IWxjaSufp8ojq5B7mz8s0CAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = HeSMxgGaB9alyS0n766TJ3qA2fAwvJmMyLPFbYhfZdJ ''; + tinc.pubkey_ed25519 = "HeSMxgGaB9alyS0n766TJ3qA2fAwvJmMyLPFbYhfZdJ"; }; }; }; + + pinpox-ahorn = { + owner = config.krebs.users.pinpox; + nets = { + retiolum = { + ip4.addr = "10.243.100.100"; + aliases = [ "pinpox-ahorn.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAyfCuWUYEqp4vEt+a6DRvFpIrBu+GlkpNs/mE4OHzATQLNnWooOXQ + 4mncdpx7OKf5jKxQY6NytW2ogRTEr8F5B52O5jE4OAoj64WG2xhuzO82MDIuVJ0h + ihiiVZ2O8Dx5sfhto7sr2Z9bsbpAZ3lSZC23I+NXk55KVxwl7YPzmZGD/dXLy/OC + R7KTvNbkO5T+BkcRpeigSV/ROymenxbpOoEFZb9PXpE4NJCOaX1ZnUrD93xVUhh1 + 7aHqqA3iWqjU8AK7Xp2Hm06pHNVjP0TfmleGtcCt47D6zQytmfjGwptdva4RqMfT + 0BWvjGoQYDmgLveYIYssWlcjfvn9oRRvlFS6QeUZ8pP/YsvgnR4wfILFbQMKvGFn + OXrmZ6vG2rqmJCGfuo3sd3YdhPwHWDmNz0ORJRQ8EcDAblfyjkGS8CZvC/Cmh2vU + bPEEl78g30Kpd8dFpym24C8LwtujK+rzk6EJJrfu0DAlxlDGJyGC89yKktkYV6Mh + Cy9Mwfz8eFRF2IcwEJNgi10/GMiN9LYk3R49wQN/6poQd62cS0C8bBkeWIgvSn5Q + zpvvg7ChjmvDc6rxiO1XXWODXVWFogu6IxMRKUgxk9EheX0UEu2ZpzalqmQqPm9Y + J1rBAUDan+au0WkocTbCIB3Y18byvrRuegxeny6XzS8ECFnsZSyWzo8CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "rMX99xOg69naxQoRc/wHCmaHC5aq+7vjwpzjK0z73KJ"; + }; + }; + }; + rilke = { owner = config.krebs.users.kmein; nets.wiregrill = { @@ -310,6 +339,7 @@ in { uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ== -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH"; }; }; }; @@ -422,8 +452,8 @@ in { 2h+zZqkG4boV6CrMEjStb15EOXTUVfq0DPojFik6agCltslsJAwp+f1fb7NSee4d TNWb1CHfIQWLPnm1LFwphSqyHY/9ehcsX3PJ7oXI+/BnV8ivvoApWA0CAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = DWfh6H8Qco+GURdVRhKhLBAsN5epsEYhOM2+88dTdTE ''; + tinc.pubkey_ed25519 = "DWfh6H8Qco+GURdVRhKhLBAsN5epsEYhOM2+88dTdTE"; }; }; }; @@ -681,8 +711,8 @@ in { 1T6DILDF71H92PNylujKSPA0CKI160xJ61Xy/T6MYl5u0+RblAgYr77o5HJwmXCe jFrCu3SKUIlJWYHWE8yNoR+VVYeXakbDFYE3KpVyBDG+ljUbia+Oel8CAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = 3IKIoZqg0jm9+pOOka2FEtihx0y8qAdJqKTuRfJtMpK ''; + tinc.pubkey_ed25519 = "3IKIoZqg0jm9+pOOka2FEtihx0y8qAdJqKTuRfJtMpK"; }; }; }; @@ -716,6 +746,9 @@ in { mail = "joerg@thalheim.io"; pubkey = ssh-for "mic92"; }; + pinpox = { + mail = "main@pablo.tools"; + }; sandro = {}; shannan = { mail = "shannan@lekwati.com"; diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 901379294..b6ade20e5 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -167,8 +167,8 @@ in { nets = rec { internet = { # eve.thalheim.io - ip4.addr = "95.216.112.61"; - ip6.addr = "2a01:4f9:2b:1605::1"; + ip4.addr = "88.99.244.96"; + ip6.addr = "2a01:4f8:10b:49f::1"; aliases = [ "eve.i" ]; }; retiolum = { @@ -354,7 +354,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.176"; aliases = [ "matchbox.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -775,5 +774,30 @@ in { }; }; }; + + mickey = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "mickey.r" ]; + tinc.pubkey = '' + Ed25519PublicKey = cE450gYxzp9kAzV5ytU9N7aV+WdnD7wQMjkPWV7r/bC + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA7TwI3/tyl3z46Enr6p/0bpl5CpG6DZLxjAhsMcWBM+4xTL9s18IZ + 2FGbyS3EyOBprMBQULrik1u0rfZ0AL8XdO6h+r1BD6XmlZtUu3FJaVeXrLBPGtC0 + qqC0mZOj1ezTl3kC9/O7slU1/vuIRWiiRuvmvLnc6uWo+ShTl8fs0a3rY7/FsFVY + ZClf2M/5cJmeZpwy+PvgGmhSvjflO5+v+C+LvvhfVzoLw2zf8Gbi23ifS0uhhJt2 + 9ztGnmQg+n4+EWEN3XFS1XXHO2P2jyy1ss5NrN0JrO/1J519owHXxbo096MV12xr + azD6of8k0xHbfW4PW0/U1qzs9Ra1T54D+xtnyemLOyeCApwUy+bSg+XuqMz1Wy55 + dci7cBguTIn+pnJqcf8lGSfWDSxlBiwrbXSPszlRQ6vO8MA2uciSmOKodKtNj4bQ + 5IfdHHOHGAuuE+ZNt6owc/8QzQ3dVT+fVmTeN1PB4FmPmF5E2kOpe4NebZ0DhD+g + +g/bNO5FFlIy2M+LKauIXugAHlrVrxl4blfjVkb9xrfsSJHQl8/G/F9zMUAzUBv3 + W8cVFn9mAw0FFaQljs9iha92we6Vs93v+ZvsmSG2MVOYBVwka4FJ7kjaABLFXcjN + RA8gQM/P3j1EmDvemlskWOoCLVELR40BtKdM9MFiGqxGMoNh3DvGWTECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; } diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 1bfd58e31..c038fd4c6 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -36,7 +36,7 @@ let type = types.user; default = { name = "fcgiwrap"; - home = toString pkgs.empty; + home = toString pkgs.emptyDirectory; }; }; }; @@ -111,7 +111,7 @@ let type = types.user; default = { name = "git"; - home = toString pkgs.empty; + home = toString pkgs.emptyDirectory; }; }; }; diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix index d30b41ee5..7bdf5bb7c 100644 --- a/krebs/3modules/github-known-hosts.nix +++ b/krebs/3modules/github-known-hosts.nix @@ -51,15 +51,9 @@ "52.78.231.108" "13.234.176.102" "13.234.210.38" - "13.229.188.59" - "13.250.177.223" - "52.74.223.119" "13.236.229.21" "13.237.44.5" "52.64.108.95" - "18.228.52.138" - "18.228.67.229" - "18.231.5.6" "20.201.28.151" "20.205.243.166" "102.133.202.242" @@ -70,15 +64,9 @@ "13.125.114.27" "3.7.2.84" "3.6.106.81" - "18.140.96.234" - "18.141.90.153" - "18.138.202.180" "52.63.152.235" "3.105.147.174" "3.106.158.203" - "54.233.131.104" - "18.231.104.233" - "18.228.167.86" "20.201.28.152" "20.205.243.160" "102.133.202.246" diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 6298a05a5..3bab13b0e 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -73,7 +73,7 @@ let }; }; - imp = { + imp = mkMerge ([{ networking.firewall.enable = false; systemd.services.krebs-iptables = { @@ -97,7 +97,41 @@ let unitConfig.DefaultDependencies = false; }; - }; + }] ++ compat); + + compat = [ + ({ + krebs.iptables.tables.filter.INPUT.rules = map + (port: { predicate = "-p tcp --dport ${toString port}"; target = "ACCEPT"; }) + config.networking.firewall.allowedTCPPorts; + }) + ({ + krebs.iptables.tables.filter.INPUT.rules = map + (port: { predicate = "-p udp --dport ${toString port}"; target = "ACCEPT"; }) + config.networking.firewall.allowedUDPPorts; + }) + ({ + krebs.iptables.tables.filter.INPUT.rules = map + (portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + config.networking.firewall.allowedTCPPortRanges; + }) + ({ + krebs.iptables.tables.filter.INPUT.rules = map + (portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + config.networking.firewall.allowedUDPPortRanges; + }) + ({ + krebs.iptables.tables.filter.INPUT.rules = flatten (mapAttrsToList + (interface: interfaceConfig: [ + (map (port: { predicate = "-i ${interface} -p tcp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPorts) + (map (port: { predicate = "-i ${interface} -p udp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPorts) + (map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges) + (map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges) + ]) + config.networking.firewall.interfaces + ); + }) + ]; #buildTable :: iptablesVersion -> iptablesAttrSet` -> str #todo: differentiate by iptables-version diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 280021347..c6924fde5 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -38,17 +38,23 @@ in { ip6.addr = r6 "d15f:1233"; aliases = [ "dishfire.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs - Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 - uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK - R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd - vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U - HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB - -----END RSA PUBLIC KEY----- - ''; + "grafana.lass.r" + "prometheus.lass.r" + "alert.lass.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs + Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 + uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK + R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd + vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U + HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO"; + }; tinc.port = 655; }; }; @@ -125,32 +131,35 @@ in { "search.r" ]; tinc.port = 655; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje - fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo - rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z - ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB - wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio - /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA - BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C - 9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5 - Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu - 3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH - TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb - g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ - kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg - 7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo - 7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz - cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451 - k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0 - dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu - ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i - jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/ - AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE - T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje + fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo + rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z + ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB + wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio + /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA + BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C + 9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5 + Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu + 3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH + TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb + g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ + kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg + 7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo + 7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz + cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451 + k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0 + dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu + ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i + jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/ + AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE + T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "XbBBPg+dtZM1LRN46VAujVKIC6VSo6nFoHo/1unbggO"; + }; }; wiregrill = { via = internet; @@ -183,16 +192,19 @@ in { "mors.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE - H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R - +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ - 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa - 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU - O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "kuh0cP/HjGOQ+NafR3zjmqp+RAnA59F4CgtzENj9/MM"; + }; }; wiregrill = { ip6.addr = w6 "dea7"; @@ -217,16 +229,19 @@ in { "shodan.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT - YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7 - ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF - 7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4 - xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ - V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT + YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7 + ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF + 7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4 + xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ + V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "Ptc5VuYkRd5+zHibZwNe3DEgGHHvAk0Ul00dW1YXsrC"; + }; }; wiregrill = { ip6.addr = w6 "50da"; @@ -252,16 +267,19 @@ in { "icarus.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr - Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK - 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t - k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7 - zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt - gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr + Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK + 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t + k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7 + zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt + gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "vUc/ynOlNqB7a+sr0BmfdRv0dATtGZTjsU2qL2yGInK"; + }; }; wiregrill = { ip6.addr = w6 "1205"; @@ -286,16 +304,19 @@ in { "daedalus.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 - 5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+ - qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8 - ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR - arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w - 3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 + 5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+ + qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8 + ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR + arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w + 3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "ybmNcRLtZ0NxlxIRE3bdc2G4lLXtTGXu+iRaXMTKCNG"; + }; }; wiregrill = { ip6.addr = w6 "daed"; @@ -318,16 +339,19 @@ in { "skynet.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX - Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B - p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0 - yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da - NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb - mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX + Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B + p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0 + yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da + NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb + mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "9s7eB16k7eAtHyneffTCmYR7s3mRpJqpVVjSPGaVKKN"; + }; }; wiregrill = { ip6.addr = w6 "5ce7"; @@ -352,32 +376,35 @@ in { "littleT.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF - /m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY - 1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO - ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G - sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR - M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/ - Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT - +cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY - xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c - aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm - 7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v - k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B - idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ - y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D - SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i - mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH - PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB - ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5 - Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS - 8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt - NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW - 5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF + /m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY + 1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO + ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G + sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR + M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/ + Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT + +cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY + xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c + aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm + 7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v + k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B + idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ + y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D + SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i + mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH + PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB + ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5 + Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS + 8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt + NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW + 5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "rDnc4Ha+M6fyN5JU4lkV9NKfMBtIHOcG4/AUB9KodiP"; + }; }; wiregrill = { ip6.addr = w6 "771e"; @@ -402,32 +429,35 @@ in { "xerxes.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U - MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk - gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W - /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb - mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO - X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj - +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim - hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 - 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 - H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 - JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 - hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe - SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo - 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe - vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 - Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO - scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv - jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ - Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u - /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 - bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ - sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB - -----END RSA PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U + MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk + gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W + /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb + mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO + X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj + +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim + hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 + 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 + H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 + JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 + hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe + SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo + 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe + vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 + Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO + scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv + jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ + Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u + /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 + bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ + sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK"; + }; }; wiregrill = { ip6.addr = w6 "3"; @@ -452,22 +482,25 @@ in { "yellow.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP - MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY - b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU - Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd - OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP - vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6 - C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp - Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU - 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg - zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p - DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ - Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP + MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY + b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU + Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd + OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP + vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6 + C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp + Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU + 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg + zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p + DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ + Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "qZBhDSW6ir1/w6lOngg2feCZj9W9AfifEMlKXcOb5QE"; + }; }; wiregrill = { ip6.addr = w6 "3110"; @@ -490,22 +523,25 @@ in { "blue.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd - QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc - sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM - wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu - PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ - RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ - HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm - khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP - 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N - w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 - ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J - Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd + QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc + sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM + wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu + PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ + RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ + HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm + khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP + 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N + w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 + ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J + Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "vf3JzuLpEkjcwZtuJ/0M9Zjfp5ChKXvkORMXsZ4nJKL"; + }; }; wiregrill = { ip6.addr = w6 "b1ce"; @@ -530,22 +566,25 @@ in { "green.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk - uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx - ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477 - n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI - hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6 - m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6 - BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1 - pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy - 2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk - UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA - udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT - 3MVh92sFyMVYkJcL7SISk80CAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk + uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx + ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477 + n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI + hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6 + m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6 + BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1 + pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy + 2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk + UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA + udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT + 3MVh92sFyMVYkJcL7SISk80CAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "WfH8ULtWklOFK6htphdSSL46vHn6TkJIhsvK9fK+4+C"; + }; }; wiregrill = { ip6.addr = w6 "12ee"; @@ -599,22 +638,25 @@ in { "hilum.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb - pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi - V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c - SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh - 4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE - saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz - vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY - 8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ - wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3 - RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh - Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl - 87b8jfJNXlKFW+EBxBxN2uECAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb + pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi + V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c + SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh + 4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE + saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz + vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY + 8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ + wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3 + RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh + Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl + 87b8jfJNXlKFW+EBxBxN2uECAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "9D50r3DmftSe2L++jPktQRbcCrE4sEazMewgbQbodRH"; + }; }; wiregrill = { ip6.addr = w6 "005b"; @@ -640,22 +682,25 @@ in { "styx.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn - ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU - aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE - 3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi - 6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq - m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn - Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt - EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/ - 7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao - Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2 - 6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF - wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn + ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU + aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE + 3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi + 6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq + m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn + Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt + EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/ + 7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao + Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2 + 6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF + wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "yVT5nQstw+o5P0ZoBK81G7sL6nQEBwg42wyBn6ogZgK"; + }; }; wiregrill = { ip6.addr = w6 "111"; @@ -682,22 +727,25 @@ in { "coaxmetal.r" ]; tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA - xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK - gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU - WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek - ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32 - G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F - G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO - IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX - K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE - 7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly - bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo - l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA + xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK + gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU + WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek + ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32 + G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F + G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO + IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX + K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE + 7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly + bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo + l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "bEGgA5Wupw+Dgh6Ub7V21Y3wOmyspW1rKGrZsVhi3cO"; + }; }; wiregrill = { ip6.addr = w6 "17"; @@ -723,22 +771,25 @@ in { aliases = [ "echelon.r" ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp - 1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A - MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe - UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V - rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez - gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO - c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna - dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze - ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D - KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq - GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr - 43jjLL40ONdFxX7qW/DhT9MCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp + 1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A + MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe + UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V + rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez + gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO + c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna + dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze + ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D + KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq + GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr + 43jjLL40ONdFxX7qW/DhT9MCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB"; + }; }; wiregrill = { ip6.addr = w6 "3"; @@ -764,22 +815,25 @@ in { aliases = [ "lasspi.r" ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1 - JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F - CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl - oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P - Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS - BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC - VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8 - +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs - QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP - zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP - 6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc - 287nChBcbY+HlshTe0lZdrkCAwEAAQ== - -----END PUBLIC KEY----- - ''; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1 + JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F + CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl + oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P + Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS + BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC + VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8 + +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs + QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP + zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP + 6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc + 287nChBcbY+HlshTe0lZdrkCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "vSCHU+/BkoCo6lL5OmikALKBWgkRY8JRo4q8ZZRd5EG"; + }; }; wiregrill = { ip6.addr = w6 "189"; diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 0312c62fd..c4cfb9a49 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -122,13 +122,9 @@ let }; privateKeyFile = mkOption { - type = types.secret-file; - default = { - name = "repo-sync-key"; - path = "${cfg.stateDir}/ssh.priv"; - owner = cfg.user; - source-path = toString <secrets> + "/repo-sync.ssh.key"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/repo-sync.ssh.key"; + defaultText = "‹secrets/repo-sync.ssh.key›"; }; unitConfig = mkOption { @@ -144,14 +140,16 @@ let }; imp = { - krebs.secret.files.repo-sync-key = cfg.privateKeyFile; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; description = "repo-sync user"; isSystemUser = true; }; + users.groups.${cfg.user.name} = {}; + systemd.timers = mapAttrs' (name: repo: nameValuePair "repo-sync-${name}" { description = "repo-sync timer"; @@ -160,6 +158,10 @@ let } ) cfg.repos; + krebs.systemd.services = mapAttrs' (name: _: + nameValuePair "repo-sync-${name}" {} + ) cfg.repos; + systemd.services = mapAttrs' (name: repo: let repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json" @@ -168,16 +170,10 @@ let }); in nameValuePair "repo-sync-${name}" { description = "repo-sync"; - after = [ - config.krebs.secret.files.repo-sync-key.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.repo-sync-key.service - ]; + after = [ "network.target" ]; environment = { - GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}"; + GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key"; REPONAME = "${name}.git"; }; @@ -185,6 +181,7 @@ let serviceConfig = { Type = "simple"; PermissionsStartOnly = true; + LoadCredential = "ssh_key:${cfg.privateKeyFile}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; WorkingDirectory = cfg.stateDir; User = "repo-sync"; diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 978939f69..0c5e1cdcd 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -27,7 +27,6 @@ in { systemd.services = mapAttrs' (name: file: nameValuePair "secret-trigger-${systemd.encodeName name}" { - wantedBy = ["multi-user.target"]; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}"; diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix new file mode 100644 index 000000000..294f80a3c --- /dev/null +++ b/krebs/3modules/systemd.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: let { + lib = import ../../lib; + + body.options.krebs.systemd.services = lib.mkOption { + default = {}; + type = lib.types.attrsOf (lib.types.submodule { + options = { + ifCredentialsChange = lib.mkOption { + default = "restart"; + description = '' + Whether to reload or restart the service whenever any its + credentials change. Only credentials with an absolute path in + LoadCredential= are supported. + ''; + type = lib.types.enum [ + "reload" + "restart" + null + ]; + }; + }; + }); + }; + + body.config = { + systemd.paths = lib.mapAttrs' (serviceName: _: + lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = + lib.filter + lib.types.absolute-pathname.check + (map + (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) + (lib.toList + config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); + } + ) config.krebs.systemd.services; + + systemd.services = lib.mapAttrs' (serviceName: cfg: + lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange} ${lib.shell.escape serviceName}"; + }; + } + ) config.krebs.systemd.services; + }; +} diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 898b5e8c3..a18248351 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,12 +1,6 @@ with import <stockholm/lib>; -{ config, pkgs, ... }: -let - out = { - options.krebs.tinc = api; - config = imp; - }; - - api = mkOption { +{ config, pkgs, ... }: { + options.krebs.tinc = mkOption { default = {}; description = '' define a tinc network @@ -17,7 +11,6 @@ let in { enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; }; - enableLegacy = mkEnableOption "/etc/tinc/${netname}"; confDir = mkOption { type = types.package; @@ -29,10 +22,6 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} - ${optionalString (tinc.config.privkey_ed25519 != null) - "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" - } - PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; @@ -102,7 +91,7 @@ let tincPackage = mkOption { type = types.package; - default = pkgs.tinc; + default = pkgs.tinc_pre; description = "Tincd package to use."; }; @@ -170,25 +159,17 @@ let }; privkey = mkOption { - type = types.secret-file; - default = { - name = "${tinc.config.netname}.rsa_key.priv"; - path = "${tinc.config.user.home}/tinc.rsa_key.priv"; - owner = tinc.config.user; - source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; privkey_ed25519 = mkOption { - type = types.nullOr types.secret-file; + type = types.nullOr types.absolute-pathname; default = - if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { - name = "${tinc.config.netname}.ed25519_key.priv"; - path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; - owner = tinc.config.user; - source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; - }; + if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null + then null + else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; @@ -227,28 +208,7 @@ let })); }; - imp = { - # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, - # avoid conflicts in environment if the packages differ - - krebs.secret.files = - let - ed25519_keys = - filterAttrs - (_: key: key != null) - (mapAttrs' - (netname: cfg: - nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 - ) - config.krebs.tinc); - - rsa_keys = - mapAttrs' - (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) - config.krebs.tinc; - in - ed25519_keys // rsa_keys; - + config = { users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { inherit (cfg.user) home name uid; @@ -263,36 +223,47 @@ let ) config.krebs.tinc; environment.etc = mapAttrs' (netname: cfg: - nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy { + nameValuePair "tinc/${netname}" { source = cfg.confDir; - }) + } ) config.krebs.tinc; - systemd.services = mapAttrs (netname: cfg: - let - tinc = cfg.tincPackage; - iproute = cfg.iproutePackage; - in { - description = "Tinc daemon for ${netname}"; - after = [ - "network.target" - config.krebs.secret.files."${netname}.rsa_key.priv".service - ] ++ optionals (cfg.privkey_ed25519 != null) [ - config.krebs.secret.files."${netname}.ed25519_key.priv".service + krebs.systemd.services = mapAttrs (netname: cfg: { + }) config.krebs.tinc; + + systemd.services = mapAttrs (netname: cfg: { + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ + cfg.iproutePackage + cfg.tincPackage + ]; + reloadIfChanged = true; + restartTriggers = [ cfg.confDir ]; + serviceConfig = { + Restart = "always"; + LoadCredential = filter (x: x != "") [ + (optionalString (cfg.privkey_ed25519 != null) + "ed25519_key:${cfg.privkey_ed25519}" + ) + "rsa_key:${cfg.privkey}" ]; - partOf = [ - config.krebs.secret.files."${netname}.rsa_key.priv".service - ] ++ optionals (cfg.privkey_ed25519 != null) [ - config.krebs.secret.files."${netname}.ed25519_key.priv".service + ExecStart = toString [ + "${cfg.tincPackage}/sbin/tincd" + "-D" + "-U ${cfg.user.name}" + "-c /etc/tinc/${netname}" + "-d 0" + (optionalString (cfg.privkey_ed25519 != null) + "-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key" + ) + "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" + "--pidfile=/var/run/tinc.${netname}.pid" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${cfg.confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = netname; - }; - } - ) config.krebs.tinc; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + SyslogIdentifier = netname; + }; + }) config.krebs.tinc; }; -in out +} diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 92f1a5bcd..8d48c2a47 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -50,6 +50,7 @@ in { cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K"; }; }; ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa"; @@ -74,8 +75,7 @@ in { jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = - "Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; + tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; }; }; secure = true; @@ -99,8 +99,7 @@ in { Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = - "Ed25519PublicKey = PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO"; + tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO"; }; }; secure = true; @@ -126,6 +125,7 @@ in { FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C"; }; }; ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519"; @@ -172,6 +172,7 @@ in { Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ== -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE"; }; wiregrill.wireguard.subnets = [ (krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR @@ -199,6 +200,7 @@ in { Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP"; }; }; secure = true; @@ -225,6 +227,7 @@ in { AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB"; }; }; secure = true; @@ -284,6 +287,7 @@ in { 4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM"; }; }; secure = true; diff --git a/krebs/5pkgs/simple/empty.nix b/krebs/5pkgs/simple/empty.nix deleted file mode 100644 index a45723b65..000000000 --- a/krebs/5pkgs/simple/empty.nix +++ /dev/null @@ -1,2 +0,0 @@ -{ pkgs }: -pkgs.runCommand "empty-1.0.0" {} "mkdir $out" diff --git a/krebs/5pkgs/simple/rss-bridge/default.nix b/krebs/5pkgs/simple/rss-bridge/default.nix index e0a927a1a..2ad322d48 100644 --- a/krebs/5pkgs/simple/rss-bridge/default.nix +++ b/krebs/5pkgs/simple/rss-bridge/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "rss-bridge"; - version = "unstable-2021-04-20"; + version = "unstable-2021-12-02"; src = fetchFromGitHub { owner = "RSS-Bridge"; repo = "rss-bridge"; - rev = "716f5ddc0e20c10cb77ded46380cc376913a92fd"; - sha256 = "17aqmj7rz0ysk8nj4kbjvnsjdm47d0xsypfygzzk2vagxfz5w3p8"; + rev = "f469489b569d22fb5edbd13c6e5f5abf2a4ee186"; + sha256 = "sha256-LyxcycXbOFZR0mMDMUqAOjWrHIE2ftxkAYUGBbcQF5k=="; }; patchPhase = '' diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index b41e396c9..5cf7d9242 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -42,13 +42,6 @@ with import <stockholm/lib>; "-M ${toString config.users.users.mainUser.uid}" ]; }; - "/home/lass/sync" = { - source = "/var/state/lass_sync"; - options = [ - "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" - "--create-for-user=${toString config.users.users.syncthing.uid}" - ]; - }; "/var/lib/bitlbee" = { source = "/var/state/bitlbee"; options = [ @@ -94,4 +87,10 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = [ { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } ]; + + # workaround for ssh access from yubikey via android + services.openssh.extraConfig = '' + HostKeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + ''; } diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix deleted file mode 100644 index 68acf12b8..000000000 --- a/lass/1systems/helios/config.nix +++ /dev/null @@ -1,7 +0,0 @@ -with import <stockholm/lib>; -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - dpass - ]; -} diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 88ac90de4..4d042de22 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -127,7 +127,6 @@ with import <stockholm/lib>; transmission macchanger - dpass dnsutils woeusb diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index b303df938..4ed0bfa5f 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -120,8 +120,8 @@ in { services.mosquitto = { enable = true; listeners = [{ - acl = [ "topic pattern readwrite #" ]; - users.gg23 = { acl = [ "topic readwrite #" ]; password = "gg23-mqtt"; }; + acl = [ ]; + users.gg23 = { acl = [ "readwrite #" ]; password = "gg23-mqtt"; }; }]; }; diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 9932f8172..f900bc28e 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -14,7 +14,6 @@ }; krebs.tinc.retiolum = { - enableLegacy = true; enable = true; connectTo = [ "prism" diff --git a/lass/5pkgs/dpass/default.nix b/lass/5pkgs/dpass/default.nix deleted file mode 100644 index c1e803bcb..000000000 --- a/lass/5pkgs/dpass/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pass, write, writeDash, ... }: - -write "dsco-pass" { - "/bin/dpass".link = writeDash "dpass" '' - PASSWORD_STORE_DIR=$HOME/.dpasswordstore \ - exec ${pass}/bin/pass $@ - ''; - "/bin/dpassmenu".link = writeDash "dpassmenu" '' - PASSWORD_STORE_DIR=$HOME/.dpasswordstore \ - exec ${pass}/bin/passmenu $@ - ''; -} diff --git a/lass/krops.nix b/lass/krops.nix index 4abd010e1..ace37888f 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -23,6 +23,10 @@ name = "hosts/${name}"; }; }; + stockholm.file = lib.mkForce { + path = toString ../.; + useChecksum = true; + }; } (if lib.pathExists (./. + "/1systems/${name}/source.nix") then import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs test; } diff --git a/lib/default.nix b/lib/default.nix index 738e52186..574713e48 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -39,6 +39,8 @@ let listToAttrs (map (name: nameValuePair name set.${name}) (filter (flip hasAttr set) names)); + maybeHead = x: if isList x && length x > 0 then head x else null; + packageName = pkg: pkg.pname or (parseDrvName pkg.name).name; diff --git a/lib/types.nix b/lib/types.nix index b6c266c33..318e2f237 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -188,6 +188,10 @@ rec { ++ [config.pubkey] ++ + optional (config.pubkey_ed25519 != null) '' + Ed25519PublicKey = ${config.pubkey_ed25519} + '' + ++ optional (config.weight != null) "Weight = ${toString config.weight}" ); defaultText = '' diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index c0125ecfa..fed74c921 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -25,6 +25,7 @@ let { pkgs.tv.vimPlugins.vim pkgs.vimPlugins.fzfWrapper pkgs.vimPlugins.undotree + pkgs.vimPlugins.vim-nftables ]; dirs = { diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix index 3c73d2565..dccbfde67 100644 --- a/tv/3modules/charybdis/config.nix +++ b/tv/3modules/charybdis/config.nix @@ -61,13 +61,13 @@ in toFile "charybdis.conf" '' vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr}; /* ssl_private_key: our ssl private key */ - ssl_private_key = ${toJSON cfg.ssl_private_key.path}; + ssl_private_key = "/tmp/credentials/ssl_private_key"; /* ssl_cert: certificate for our ssl server */ ssl_cert = ${toJSON cfg.ssl_cert}; /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ - ssl_dh_params = ${toJSON cfg.ssl_dh_params.path}; + ssl_dh_params = "/tmp/credentials/ssl_dh_params"; /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 9c5ce2731..96aae702a 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -15,22 +15,12 @@ in { type = types.path; }; ssl_dh_params = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_dh_params"; - path = "${cfg.user.home}/dh.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.dh.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.dh.pem"; }; ssl_private_key = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_private_key"; - path = "${cfg.user.home}/ssl.key.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.key.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.key.pem"; }; sslport = mkOption { type = types.int; @@ -46,22 +36,13 @@ in { }; config = lib.mkIf cfg.enable { - krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params; - krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key; - environment.etc."charybdis-ircd.motd".text = cfg.motd; + krebs.systemd.services.charybdis = {}; + systemd.services.charybdis = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - "network-online.target" - ]; - partOf = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - ]; + after = [ "network-online.target" ]; environment = { BANDB_DBPATH = "${cfg.user.home}/ban.db"; }; @@ -70,21 +51,30 @@ in { User = cfg.user.name; PrivateTmp = true; Restart = "always"; - ExecStartPre = - "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"; + ExecStartPre = [ + "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd" + "${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials" + ]; ExecStart = toString [ "${pkgs.charybdis}/bin/charybdis" "-configfile ${import ./config.nix args}" "-foreground" "-logfile /dev/stderr" ]; + LoadCredential = [ + "ssl_dh_params:${cfg.ssl_dh_params}" + "ssl_private_key:${cfg.ssl_private_key}" + ]; }; }; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; isSystemUser = true; }; + + users.groups.${cfg.user.name} = {}; }; } diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index a0631e226..a022bc448 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -48,6 +48,9 @@ in /* yaml */ '' - "::1/128" - "::FFFF:127.0.0.1/128" + certfiles: + - /tmp/credentials/certfile + hosts: ${toJSON config.hosts} language: "en" @@ -58,9 +61,8 @@ in /* yaml */ '' ip: "::" module: ejabberd_c2s shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} + dhfile: /var/lib/ejabberd/dhfile protocol_options: ${toJSON protocol_options} starttls: true starttls_required: true @@ -109,9 +111,8 @@ in /* yaml */ '' mod_http_api: {} s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} + s2s_dhfile: /var/lib/ejabberd/dhfile s2s_protocol_options: ${toJSON protocol_options} s2s_tls_compression: false s2s_use_starttls: required diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 2ca88732b..935df9a9c 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -16,22 +16,8 @@ in { options.tv.ejabberd = { enable = mkEnableOption "tv.ejabberd"; certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/ejabberd.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/ejabberd.pem"; }; hosts = mkOption { type = with types; listOf str; @@ -61,10 +47,6 @@ in { config.krebs.users.tv.mail ]; }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; user = mkOption { type = types.user; default = { @@ -90,27 +72,24 @@ in { }) ]; - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; + krebs.systemd.services.ejabberd = {}; systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; + after = [ "network.target" ]; serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; + ExecStart = pkgs.writeDash "ejabberd" '' + ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials + ${gen-dhparam} /var/lib/ejabberd/dhfile + exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground + ''; + LoadCredential = [ + "certfile:${cfg.certfile}" + ]; PermissionsStartOnly = true; + PrivateTmp = true; SyslogIdentifier = "ejabberd"; + StateDirectory = "ejabberd"; User = cfg.user.name; TimeoutStartSec = 60; }; @@ -119,7 +98,10 @@ in { users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; isSystemUser = true; }; + + users.groups.${cfg.user.name} = {}; }; } diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix index ba79c4a49..4dbb34df0 100644 --- a/tv/3modules/x0vncserver.nix +++ b/tv/3modules/x0vncserver.nix @@ -11,17 +11,12 @@ in { }; enable = mkEnableOption "tv.x0vncserver"; pwfile = mkOption { - default = { - name = "x0vncserver-pwfile"; - owner = cfg.user; - path = "${cfg.user.home}/.vncpasswd"; - source-path = toString <secrets> + "/vncpasswd"; - }; + default = toString <secrets> + "/vncpasswd"; description = '' Use vncpasswd to edit pwfile. See: nix-shell -p tigervnc --run 'man vncpasswd' ''; - type = types.secret-file; + type = types.absolute-pathname; }; rfbport = mkOption { default = 5900; @@ -33,26 +28,17 @@ in { }; }; config = mkIf cfg.enable { - krebs.secret.files = { - x0vncserver-pwfile = cfg.pwfile; - }; + krebs.systemd.services.x0vncserver = {}; systemd.services.x0vncserver = { - after = [ - config.krebs.secret.files.x0vncserver-pwfile.service - "graphical.target" - ]; - partOf = [ - config.krebs.secret.files.x0vncserver-pwfile.service - ]; - requires = [ - "graphical.target" - ]; + after = [ "graphical.target" ]; + requires = [ "graphical.target" ]; serviceConfig = { ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [ "-display ${cfg.display}" - "-passwordfile ${cfg.pwfile.path}" + "-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile" "-rfbport ${toString cfg.rfbport}" ]}"; + LoadCredential = "ssh_key:${cfg.pwfile}"; User = cfg.user.name; }; }; diff --git a/tv/5pkgs/vim/nix.nix b/tv/5pkgs/vim/nix.nix index c121d815f..6715af737 100644 --- a/tv/5pkgs/vim/nix.nix +++ b/tv/5pkgs/vim/nix.nix @@ -136,6 +136,7 @@ with import <stockholm/lib>; javascript.extraStart = comment "js"; lua = {}; markdown.extraStart = writerExt "md"; + nftables = {}; #nginx = {}; python.extraStart = alts [ (comment "py") |