summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/0tests/data/secrets/initrd/host_ecdsa.pub0
-rw-r--r--krebs/0tests/data/secrets/initrd/host_ecdsa_key0
-rw-r--r--krebs/0tests/data/secrets/initrd/hostname0
-rw-r--r--krebs/0tests/data/secrets/initrd/hs_ed25519_public_key0
-rw-r--r--krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key0
-rw-r--r--krebs/0tests/data/secrets/initrd/openssh_host_ecdsa_key0
-rw-r--r--krebs/1systems/puyak/config.nix87
-rw-r--r--krebs/1systems/wolf/config.nix80
-rw-r--r--krebs/2configs/gitlab-runner-shackspace.nix33
-rw-r--r--krebs/2configs/shack/gitlab-runner.nix62
-rw-r--r--krebs/2configs/shack/share.nix3
-rw-r--r--krebs/2configs/tor/initrd.nix50
12 files changed, 187 insertions, 128 deletions
diff --git a/krebs/0tests/data/secrets/initrd/host_ecdsa.pub b/krebs/0tests/data/secrets/initrd/host_ecdsa.pub
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/host_ecdsa.pub
diff --git a/krebs/0tests/data/secrets/initrd/host_ecdsa_key b/krebs/0tests/data/secrets/initrd/host_ecdsa_key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/host_ecdsa_key
diff --git a/krebs/0tests/data/secrets/initrd/hostname b/krebs/0tests/data/secrets/initrd/hostname
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/hostname
diff --git a/krebs/0tests/data/secrets/initrd/hs_ed25519_public_key b/krebs/0tests/data/secrets/initrd/hs_ed25519_public_key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/hs_ed25519_public_key
diff --git a/krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key b/krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key
diff --git a/krebs/0tests/data/secrets/initrd/openssh_host_ecdsa_key b/krebs/0tests/data/secrets/initrd/openssh_host_ecdsa_key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/initrd/openssh_host_ecdsa_key
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 08a3392bd..0cadc3a10 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -7,19 +7,104 @@
<stockholm/krebs/2configs/secret-passwords.nix>
<stockholm/krebs/2configs/hw/x220.nix>
+
+ ## initrd unlocking
+ # (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
+ <stockholm/krebs/2configs/tor/initrd.nix>
+
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
<stockholm/krebs/2configs/go.nix>
<stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/news.nix>
<stockholm/krebs/2configs/news-spam.nix>
+
+ ### shackspace
+ # handle the worlddomination map via coap
+ <stockholm/krebs/2configs/shack/worlddomination.nix>
<stockholm/krebs/2configs/shack/ssh-keys.nix>
+
+ # drivedroid.shack for shackphone
+ <stockholm/krebs/2configs/shack/drivedroid.nix>
+ # <stockholm/krebs/2configs/shack/nix-cacher.nix>
+
+ # Say if muell will be collected
+ <stockholm/krebs/2configs/shack/muell_caller.nix>
+ # provide muellshack api: muell.shack
+ <stockholm/krebs/2configs/shack/muellshack.nix>
+ # send mail if muell was not handled
+ <stockholm/krebs/2configs/shack/muell_mail.nix>
+
+ # provide light control api
+ <stockholm/krebs/2configs/shack/node-light.nix> # light.shack lounge.light.shack power.light.shack openhab.shack lightapi.shack
+ # light.shack web-ui
+ <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack
+
+ # powerraw usb serial to mqtt and raw socket
+ <stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack
+ # send power stats to s3
+ <stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available
+
+
+ { # do not log to /var/spool/log
+ services.nginx.appendHttpConfig = ''
+ map $request_method $loggable {
+ default 1;
+ GET 0;
+ }
+ log_format vhost '$host $remote_addr - $remote_user '
+ '[$time_local] "$request" $status '
+ '$body_bytes_sent "$http_referer" '
+ '"$http_user_agent"';
+ error_log stderr;
+ access_log syslog:server=unix:/dev/log vhost;
+ '';
+ services.journald.rateLimitBurst = 10000;
+ }
+
+ # create samba share for anonymous usage with the laser and 3d printer pc
+ <stockholm/krebs/2configs/shack/share.nix>
+
+ # mobile.lounge.mpd.shack
+ <stockholm/krebs/2configs/shack/mobile.mpd.nix>
+
+ # hass.shack
+ <stockholm/krebs/2configs/shack/glados>
+
+ # connect to git.shackspace.de as group runner for rz
+ <stockholm/krebs/2configs/shack/gitlab-runner.nix>
+
+ # Statistics collection and visualization
+ # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully)
+ ## Collect data from mqtt.shack and store in graphite database
+ <stockholm/krebs/2configs/shack/mqtt_sub.nix>
+ ## Collect radioactive data and put into graphite
+ <stockholm/krebs/2configs/shack/radioactive.nix>
+ ## mqtt.shack
+ <stockholm/krebs/2configs/shack/mqtt.nix>
+ ## influx.shack
+ <stockholm/krebs/2configs/shack/influx.nix>
+
+ ## Collect local statistics via collectd and send to collectd
+ <stockholm/krebs/2configs/stats/shack-client.nix>
+ <stockholm/krebs/2configs/stats/shack-debugging.nix>
+
+ ## netbox.shack: Netbox is disabled as nobody seems to be using it anyway
+ # <stockholm/krebs/2configs/shack/netbox.nix>
+
+ # grafana.shack
+ <stockholm/krebs/2configs/shack/grafana.nix>
+
+ # shackdns.shack
+ # replacement for leases.shack and shackles.shack
+ <stockholm/krebs/2configs/shack/shackDNS.nix>
+
+ # monitoring: prometheus.shack
<stockholm/krebs/2configs/shack/prometheus/node.nix>
<stockholm/krebs/2configs/shack/prometheus/server.nix>
<stockholm/krebs/2configs/shack/prometheus/blackbox.nix>
<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
<stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
- <stockholm/krebs/2configs/shack/gitlab-runner.nix>
## Collect local statistics via collectd and send to collectd
<stockholm/krebs/2configs/stats/shack-client.nix>
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
index 0160f9ebb..25e7c5f06 100644
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@@ -14,85 +14,15 @@ in
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
- # handle the worlddomination map via coap
- <stockholm/krebs/2configs/shack/worlddomination.nix>
- <stockholm/krebs/2configs/shack/ssh-keys.nix>
+ #### shackspace services
+ <stockholm/krebs/2configs/shack/share.nix> # wolf.shack
- # drivedroid.shack for shackphone
- <stockholm/krebs/2configs/shack/drivedroid.nix>
- # <stockholm/krebs/2configs/shack/nix-cacher.nix>
- # Say if muell will be collected
- <stockholm/krebs/2configs/shack/muell_caller.nix>
- # provide muellshack api
- <stockholm/krebs/2configs/shack/muellshack.nix>
- # provide light control api
- <stockholm/krebs/2configs/shack/node-light.nix>
- # light.shack web-ui
- <stockholm/krebs/2configs/shack/light.shack.nix>
- # send mail if muell was not handled
- <stockholm/krebs/2configs/shack/muell_mail.nix>
- # send mail if muell was not handled
- <stockholm/krebs/2configs/shack/s3-power.nix>
- # powerraw usb serial to mqtt and raw socket
- <stockholm/krebs/2configs/shack/powerraw.nix>
-
- { # do not log to /var/spool/log
- services.nginx.appendHttpConfig = ''
- map $request_method $loggable {
- default 1;
- GET 0;
- }
- log_format vhost '$host $remote_addr - $remote_user '
- '[$time_local] "$request" $status '
- '$body_bytes_sent "$http_referer" '
- '"$http_user_agent"';
- error_log stderr;
- access_log syslog:server=unix:/dev/log vhost;
- '';
- services.journald.rateLimitBurst = 10000;
- }
-
- # create samba share for anonymous usage with the laser and 3d printer pc
- <stockholm/krebs/2configs/shack/share.nix>
-
- # mobile.lounge.mpd.shack
- <stockholm/krebs/2configs/shack/mobile.mpd.nix>
-
- # hass.shack
- <stockholm/krebs/2configs/shack/glados>
-
- # connect to git.shackspace.de as group runner for rz
+ # gitlab runner
<stockholm/krebs/2configs/shack/gitlab-runner.nix>
-
- # Statistics collection and visualization
- # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully)
- ## Collect data from mqtt.shack and store in graphite database
- <stockholm/krebs/2configs/shack/mqtt_sub.nix>
- ## Collect radioactive data and put into graphite
- <stockholm/krebs/2configs/shack/radioactive.nix>
- ## mqtt.shack
- <stockholm/krebs/2configs/shack/mqtt.nix>
- ## influx.shack
- <stockholm/krebs/2configs/shack/influx.nix>
-
- ## Collect local statistics via collectd and send to collectd
- <stockholm/krebs/2configs/stats/shack-client.nix>
- <stockholm/krebs/2configs/stats/shack-debugging.nix>
-
- <stockholm/krebs/2configs/shack/netbox.nix>
- # prometheus.shack
- #<stockholm/krebs/2configs/shack/prometheus/server.nix>
- <stockholm/krebs/2configs/shack/prometheus/node.nix>
- #<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
- # grafana.shack
- <stockholm/krebs/2configs/shack/grafana.nix>
-
- # shackdns.shack
- # replacement for leases.shack and shackles.shack
- <stockholm/krebs/2configs/shack/shackDNS.nix>
-
# misc
+ <stockholm/krebs/2configs/shack/ssh-keys.nix>
<stockholm/krebs/2configs/save-diskspace.nix>
+ <stockholm/krebs/2configs/shack/prometheus/node.nix>
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
diff --git a/krebs/2configs/gitlab-runner-shackspace.nix b/krebs/2configs/gitlab-runner-shackspace.nix
deleted file mode 100644
index f4247b6da..000000000
--- a/krebs/2configs/gitlab-runner-shackspace.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ config, pkgs, ... }:
-let
- url = "https://git.shackspace.de/";
- # generate token from CI-token via:
- ## gitlab-runner register
- ## cat /etc/gitlab-runner/config.toml
- token = import <secrets/shackspace-gitlab-ci-token.nix> ;
-in {
- systemd.services.gitlab-runner.path = [
- "/run/wrappers" # /run/wrappers/bin/su
- "/" # /bin/sh
- ];
- systemd.services.gitlab-runner.serviceConfig.PrivateTmp = true;
- virtualisation.docker.enable = true;
- services.gitlab-runner = {
- enable = true;
- # configFile, configOptions and gracefulTimeout not yet in stable
- # gracefulTimeout = "120min";
- configFile = pkgs.writeText "gitlab-runner.cfg" ''
- concurrent = 1
- check_interval = 0
-
- [[runners]]
- name = "krebs-shell"
- url = "${url}"
- token = "${token}"
- executor = "shell"
- shell = "sh"
- environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
- [runners.cache]
- '';
- };
-}
diff --git a/krebs/2configs/shack/gitlab-runner.nix b/krebs/2configs/shack/gitlab-runner.nix
index bd391851a..ecb064579 100644
--- a/krebs/2configs/shack/gitlab-runner.nix
+++ b/krebs/2configs/shack/gitlab-runner.nix
@@ -1,24 +1,48 @@
-{ pkgs, ... }:
-let
- runner-src = builtins.fetchTarball {
- url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/master/nixos-gitlab-runner-master.tar.gz";
- sha256 = "1s0fy5ny2ygcfvx35xws8xz5ih4z4kdfqlq3r6byxpylw7r52fyi";
- };
-in
+{ pkgs,lib, ... }:
{
- imports = [
- "${runner-src}/gitlab-runner.nix"
- ];
- services.gitlab-runner2 = {
+ services.gitlab-runner = {
enable = true;
- ## registrationConfigurationFile contains:
- # CI_SERVER_URL=<CI server URL>
- # REGISTRATION_TOKEN=<registration secret>
- # RUNNER_TAG_LIST=nix,shacklan
- # RUNNER_NAME=stockholm-runner-$name
- registrationConfigFile = <secrets/shackspace-gitlab-ci>;
- #gracefulTermination = true;
+ services= {
+ # runner for building in docker via host's nix-daemon
+ # nix store will be readable in runner, might be insecure
+ nix = with lib;{
+ # File should contain at least these two variables:
+ # `CI_SERVER_URL`
+ # `REGISTRATION_TOKEN`
+ registrationConfigFile = toString <secrets/shackspace-gitlab-ci>;
+ dockerImage = "alpine";
+ dockerVolumes = [
+ "/nix/store:/nix/store:ro"
+ "/nix/var/nix/db:/nix/var/nix/db:ro"
+ "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+ ];
+ dockerDisableCache = true;
+ preBuildScript = pkgs.writeScript "setup-container" ''
+ mkdir -p -m 0755 /nix/var/log/nix/drvs
+ mkdir -p -m 0755 /nix/var/nix/gcroots
+ mkdir -p -m 0755 /nix/var/nix/profiles
+ mkdir -p -m 0755 /nix/var/nix/temproots
+ mkdir -p -m 0755 /nix/var/nix/userpool
+ mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+ mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+ mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+ mkdir -p -m 0700 "$HOME/.nix-defexpr"
+ . ${pkgs.nix}/etc/profile.d/nix.sh
+ ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+ ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+ ${pkgs.nix}/bin/nix-channel --update nixpkgs
+ '';
+ environmentVariables = {
+ ENV = "/etc/profile";
+ USER = "root";
+ NIX_REMOTE = "daemon";
+ PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+ NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+ };
+ tagList = [ "nix" "shacklan" ];
+ };
+ };
};
- systemd.services.gitlab-runner2.restartIfChanged = false;
+ systemd.services.gitlab-runner.restartIfChanged = false;
systemd.services.docker.restartIfChanged = false;
}
diff --git a/krebs/2configs/shack/share.nix b/krebs/2configs/shack/share.nix
index 465d6ef69..d8d65d309 100644
--- a/krebs/2configs/shack/share.nix
+++ b/krebs/2configs/shack/share.nix
@@ -37,6 +37,9 @@
# for legacy systems
client min protocol = NT1
server min protocol = NT1
+ workgroup = WORKGROUP
+ server string = ${config.networking.hostName}
+ netbios name = ${config.networking.hostName}
'';
};
}
diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix
new file mode 100644
index 000000000..98ed039b4
--- /dev/null
+++ b/krebs/2configs/tor/initrd.nix
@@ -0,0 +1,50 @@
+{config, pkgs, ... }:
+## unlock command:
+# (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
+{
+ boot.initrd.network.enable = true;
+ boot.initrd.network.ssh = {
+ enable = true;
+ port = 22;
+ authorizedKeys = [
+ config.krebs.users.jeschli-brauerei.pubkey
+ config.krebs.users.lass.pubkey
+ config.krebs.users.lass-mors.pubkey
+ config.krebs.users.makefu.pubkey
+ config.krebs.users.tv.pubkey
+ ];
+ hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ];
+ };
+ boot.initrd.availableKernelModules = [ "e1000e" ];
+
+ boot.initrd.secrets = {
+ "/etc/tor/onion/bootup" = <secrets/initrd>;
+ };
+
+ boot.initrd.extraUtilsCommands = ''
+ copy_bin_and_libs ${pkgs.tor}/bin/tor
+ '';
+
+ # start tor during boot process
+ boot.initrd.network.postCommands = let
+ torRc = (pkgs.writeText "tor.rc" ''
+ DataDirectory /etc/tor
+ SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+ SOCKSPort 127.0.0.1:9063
+ HiddenServiceDir /etc/tor/onion/bootup
+ HiddenServicePort 22 127.0.0.1:22
+ '');
+ in ''
+ echo "tor: preparing onion folder"
+ # have to do this otherwise tor does not want to start
+ chmod -R 700 /etc/tor
+
+ echo "make sure localhost is up"
+ ip a a 127.0.0.1/8 dev lo
+ ip link set lo up
+
+ echo "tor: starting tor"
+ tor -f ${torRc} --verify-config
+ tor -f ${torRc} &
+ '';
+}