From 31f86bf81903ac8d627de26fe9d73e3b2461a748 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 20 Nov 2023 17:23:55 +0100 Subject: kartei tv: init fu --- kartei/tv/hosts/fu.nix | 24 ++++++++++++++++++++++++ kartei/tv/wiregrill/fu.pub | 1 + 2 files changed, 25 insertions(+) create mode 100644 kartei/tv/hosts/fu.nix create mode 100644 kartei/tv/wiregrill/fu.pub diff --git a/kartei/tv/hosts/fu.nix b/kartei/tv/hosts/fu.nix new file mode 100644 index 000000000..f33da59c9 --- /dev/null +++ b/kartei/tv/hosts/fu.nix @@ -0,0 +1,24 @@ +{ + nets = { + retiolum = { + ip4.addr = "10.243.13.44"; + aliases = [ + "fu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA7zwE/2k+c14PkDPaDF4Ss4oxIvb99kcim9qHHhHanZKS0SG0pEOB + UthaL8ZC3ww278eh6J1hLsaqJsznEs7TAFYZtH94lbXyxsGq3hdlpMhXKdgeHuei + ZpNj/gyo1REsHz4k4Xj3XmtqWoAteQviccl2zi+KcC0U9hxvbnXIY3CGYgNsCFb4 + 2EJtFXi2nDoHXicso2+bUufIhNGjxEkye9dEkChEGM27fxSr61yVlLARpm67jfEY + kTW2OXOYz1yJ6Akr4yvQaS3FN6sEQ3YbE57Xju46VHn5kOmpYVMGyktmdOZwHnaO + iaTLEzuYBEAJuyEt/2/XmiCGjlxrIGkyZQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "a2nUW601al1Sp1owDC4D3ukDesHThXeabMzhUckUL1O"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu"; + syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ"; +} diff --git a/kartei/tv/wiregrill/fu.pub b/kartei/tv/wiregrill/fu.pub new file mode 100644 index 000000000..1eaa070b0 --- /dev/null +++ b/kartei/tv/wiregrill/fu.pub @@ -0,0 +1 @@ +Nds8Gja25t9xlQqr9zQIUAXXidt42cEIjq9VxUHkBQw= -- cgit v1.2.3 From 3c84e737106c8ff38676861fdc1f7737a4fc2f73 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 5 Dec 2023 15:20:49 +0100 Subject: sync-containers3: remove interface at container shutdown to avoid stuck containers --- krebs/3modules/sync-containers3.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 58446c82b..cb239b955 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -246,6 +246,9 @@ in { }; } { "container@${ctr.name}" = lib.mkIf ctr.runContainer { serviceConfig = { + ExecStop = pkgs.writers.writeDash "remove_interface" '' + ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} + ''; ExecStartPost = [ (pkgs.writers.writeDash "bind-to-bridge" '' ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0 -- cgit v1.2.3 From 26054451aea3ccb938be0af9e617ed1d039ac9ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 6 Nov 2023 13:58:41 +0100 Subject: kartei mic92: update vislor key --- kartei/mic92/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 00fb92128..5d4661935 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -993,15 +993,15 @@ in { aliases = [ "vislor.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy - buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC - wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm - wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo - vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P - AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB + MIIBCgKCAQEAzMOrwiMFgDbITQEnXBJev4bSprV2Hg04xuEUmdoMJB4OJdBrWY7G + 71aHXtAjBqJqRYbvSoRPa+jQcpqRHNdNctfE1wq3nUkOYSM0OHGoFwb3kfybh+vu + flmAY75ZlVRz3srITjMADpHeiuAEOmGPmlbLiUY09I2qjcaSzYYsTiGnyWSp95tL + g3CRqiC4kj4fM0B7lCp/dz/iXDvqWEgoGEQH34x4xIIToA+DkHX5/2NAl4aaiq9m + JQ8YCz5qBox3nD6W6bwwsEyG4vOHNcCLHBdVLEbfUFHM8XDjF3dJZ+RjCYxdiEjM + dZUckPeLf/8XDkNMZm1eKMIJBvcH3UESLQIDAQAB -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E"; + tinc.pubkey_ed25519 = "ZMFZ4fd75fh2OLg/SuiTsavs013E2tUaCDqX76LPI6K"; }; }; }; -- cgit v1.2.3 From 5046b7dd88f499842076f3aa952c9711ea91c5bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 18 Nov 2023 14:24:13 +0100 Subject: kartei mic92: update adelaide key --- kartei/mic92/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 5d4661935..96edeba55 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -692,15 +692,15 @@ in { aliases = [ "adelaide.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzxKKd1dV+XDUV8pHqkAtbLcwEZVsf0kK+y5X/zbZcXEZhQQv6/dY - YJRoNG3lo8+7FMwYO2b2uyIkO1PopsORMAA2vIFaKJ2Qnt7byuIQ6n9CafIADx1M - dVf+cwUhY8IVIX2ndz9pIAY8NhmzEcjG5vGKxRqev1zNwa1LtsLDLObhkKYznM6y - HV5F92GONMeNOovHCxIYsSJ8jLn8BB60toADzocgzKvCiEw4IwKnzL/au9RGY4Xi - 25YXBzF5ai84e+HyaGGGD/qa4SqL9/jCkDB7QAwRqb01wGhtTLty+ubjzh1HF3am - zpizPVNwBTqHW1S3W1i/yi5a5w4D/zdrRQIDAQAB + MIIBCgKCAQEAp17cmCeFBu+WLKuhQQmYy3iVm/Vd42T7WA+WPaMDpejpf4hNFl8D + MYtLjEo44oOHKE95UK+CfEKjvY+XIYgr/TfXPXPbTfeUNlhwy/anK9Aek4tX/V3z + dkS139Tp9ffDq8jUkiITaIXBpMzWC8Pc+hvAUwOyq80YII2Xp+K7+vhpdXKP6Zo0 + eFd15nCWBhx2LBxnFSE+JT/bpuC4GdGhzAsafjnoR9Jl8kJ/wjIhI/b3j4l6udFq + Pn+/1z8mmb2LGkTg4cEUDWd86CCtkYVQW5/E0fHWFzUWStl/f1hEOENU4Cqy7GaD + ytioO8RI0ENZOdHZiy6vFnhPFG5Er2t4jQIDAQAB -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = "YzB5BqgIQ4f209B2KhpdHu6gRYj5IS64zy1wneq/yiG"; + tinc.pubkey_ed25519 = "FBuLCjr31Z8ijUNAgzMHeuzyKUP9zvHLijtQKBouxPO"; }; }; }; -- cgit v1.2.3 From 64996e6f37b370923629e1b9edcd25a05a59ab0a Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 6 Dec 2023 21:31:59 +0100 Subject: update krebs intermediate ca --- krebs/6assets/krebsAcmeCA.crt | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt index bf05b44f4..6f659d905 100644 --- a/krebs/6assets/krebsAcmeCA.crt +++ b/krebs/6assets/krebsAcmeCA.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB -gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl -YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq -hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2 -MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT -BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr -qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD -VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj -SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv -MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt -XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4 -20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9 -MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc= +MIICWjCCAcOgAwIBAgIRAOACUgvw++4VwgQ7Iu1/iRkwDQYJKoZIhvcNAQELBQAw +gYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3MxEDAOBgNVBAoMB0ty +ZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBSb290IENBMScwJQYJ +KoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUwHhcNMjMxMjA2MjAy +NTI1WhcNMjQxMjA1MjAyNTI1WjAYMRYwFAYDVQQDEw1LcmVicyBBQ01FIENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHiqfjJYhLvY9pBWVi5gwDmZQ65F5KGV +GSkOprlw4TJguHr6ToSC9MErHhDb80kyidcjWDi2WTJX1zg/OmTv2qOBgDB+MA4G +A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTSCUQO +B5ICY1kqFPQ299+Kn6zr8TAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGV +LzAYBgNVHR4BAf8EDjAMoAowA4IBcjADggF3MA0GCSqGSIb3DQEBCwUAA4GBAMY3 +hXVyUAYfNw+sb5NLZKkp5/Uu9ehcmVJV/CkWm5BKyEFsdCJ3PL5rnpockxNrOTy1 +/y0IWZ4UaV2jqVibKOTt3FWax1BHXuTBMSirAIKYdUnT969KTTs0atrDYYh1bBzy +YIxiIU+Be343LFI5HTNewAyK2SYUO0QP0BkGUUGD -----END CERTIFICATE----- -- cgit v1.2.3 From adcb10a4e3afe98bff36307dbff8601cdbe61af6 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 6 Dec 2023 22:30:12 +0100 Subject: setuid: properly adapt module to work with 23.11 --- krebs/3modules/setuid.nix | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index fdb96c8ba..e3108d88e 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -80,13 +80,25 @@ let }; imp = { - system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ] - (concatMapStringsSep "\n" - (cfg: /* sh */ '' - ${cfg.activate} - rm -f ${cfg.wrapperDir}/${cfg.name}.real - '') - (attrValues config.krebs.setuid)); + systemd.services."krebs.setuid" = { + wantedBy = [ "suid-sgid-wrappers.service" ]; + after = [ "suid-sgid-wrappers.service" ]; + path = [ + pkgs.coreutils + ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeDash "krebs.setuid.sh" '' + ${concatMapStringsSep "\n" + (getAttr "activate") + (attrValues config.krebs.setuid) + } + ''; + }; + unitConfig = { + DefaultDependencies = false; + }; + }; }; in out -- cgit v1.2.3 From 520391482411604798cab4d24d48f6c1650718ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Dec 2023 17:36:41 +0100 Subject: add mic92 as krebsminister --- krebs/2configs/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 905eaaef7..0d55a01fa 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -52,6 +52,7 @@ with import ../../lib/pure.nix { inherit lib; }; config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey config.krebs.users.kmein.pubkey + config.krebs.users.mic92.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. -- cgit v1.2.3 From 61a5c464b894a3b78bd98998664f89b9611ecc1a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:39:16 +0100 Subject: remove dead nixpkgs-unstable.json --- krebs/nixpkgs-unstable.json | 12 ------------ krebs/update-nixpkgs-unstable.sh | 9 --------- 2 files changed, 21 deletions(-) delete mode 100644 krebs/nixpkgs-unstable.json delete mode 100755 krebs/update-nixpkgs-unstable.sh diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json deleted file mode 100644 index 2233cd20b..000000000 --- a/krebs/nixpkgs-unstable.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "url": "https://github.com/NixOS/nixpkgs", - "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", - "date": "2023-09-01T18:51:16+08:00", - "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", - "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", - "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", - "fetchLFS": false, - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/krebs/update-nixpkgs-unstable.sh b/krebs/update-nixpkgs-unstable.sh deleted file mode 100755 index ab04914c1..000000000 --- a/krebs/update-nixpkgs-unstable.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -dir=$(dirname $0) -oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ - --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-unstable' \ -> $dir/nixpkgs-unstable.json -newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -git commit $dir/nixpkgs-unstable.json -m "nixpkgs-unstable: $oldrev -> $newrev" -- cgit v1.2.3 From 71242e93f11e18d3f2c35075a59a62844267f9aa Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:39:52 +0100 Subject: replace nixpkgs.json with flake.lock --- krebs/krops.nix | 6 +++--- krebs/nixpkgs.json | 12 ------------ krebs/update-nixpkgs.sh | 9 --------- 3 files changed, 3 insertions(+), 24 deletions(-) delete mode 100644 krebs/nixpkgs.json delete mode 100755 krebs/update-nixpkgs.sh diff --git a/krebs/krops.nix b/krebs/krops.nix index aeb2413a4..ad277ac86 100644 --- a/krebs/krops.nix +++ b/krebs/krops.nix @@ -10,8 +10,8 @@ krebs-source = { test ? false }: rec { nixpkgs = if test then { derivation = let - rev = (lib.importJSON ./nixpkgs.json).rev; - sha256 = (lib.importJSON ./nixpkgs.json).sha256; + rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; + sha256 = (lib.importJSON ./nixpkgs.json).nixpkgs.locked.narHash; in '' with import (builtins.fetchTarball { url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; @@ -27,7 +27,7 @@ } else { git = { ref = (lib.importJSON ./nixpkgs.json).rev; - url = https://github.com/NixOS/nixpkgs; + url = "https://github.com/NixOS/nixpkgs"; shallow = true; }; }; diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json deleted file mode 100644 index 0b6021ed0..000000000 --- a/krebs/nixpkgs.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "url": "https://github.com/NixOS/nixpkgs", - "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", - "date": "2023-09-02T08:28:47+02:00", - "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", - "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", - "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", - "fetchLFS": false, - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh deleted file mode 100755 index 465548f44..000000000 --- a/krebs/update-nixpkgs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -dir=$(dirname $0) -oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ - --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-23.05' \ -> $dir/nixpkgs.json -newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" -- cgit v1.2.3 From 2b4e68d1e3b20f6a377dda6151c7fd8aee47d759 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:42:15 +0100 Subject: update flake.lock --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 7ca0c5f9b..6fba339f5 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693844670, - "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", + "lastModified": 1702151865, + "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", + "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd", "type": "github" }, "original": { -- cgit v1.2.3 From 874de0795b1b6747e6625b5bbeb148a2a54444df Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:39:52 +0100 Subject: replace nixpkgs.json with flake.lock --- krebs/krops.nix | 8 ++++---- krebs/nixpkgs.json | 12 ------------ krebs/update-nixpkgs.sh | 9 --------- 3 files changed, 4 insertions(+), 25 deletions(-) delete mode 100644 krebs/nixpkgs.json delete mode 100755 krebs/update-nixpkgs.sh diff --git a/krebs/krops.nix b/krebs/krops.nix index aeb2413a4..c55865d54 100644 --- a/krebs/krops.nix +++ b/krebs/krops.nix @@ -10,8 +10,8 @@ krebs-source = { test ? false }: rec { nixpkgs = if test then { derivation = let - rev = (lib.importJSON ./nixpkgs.json).rev; - sha256 = (lib.importJSON ./nixpkgs.json).sha256; + rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; + sha256 = (lib.importJSON ../flake.lock).nixpkgs.locked.narHash; in '' with import (builtins.fetchTarball { url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; @@ -26,8 +26,8 @@ ''; } else { git = { - ref = (lib.importJSON ./nixpkgs.json).rev; - url = https://github.com/NixOS/nixpkgs; + ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; + url = "https://github.com/NixOS/nixpkgs"; shallow = true; }; }; diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json deleted file mode 100644 index 0b6021ed0..000000000 --- a/krebs/nixpkgs.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "url": "https://github.com/NixOS/nixpkgs", - "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", - "date": "2023-09-02T08:28:47+02:00", - "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", - "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", - "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", - "fetchLFS": false, - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh deleted file mode 100755 index 465548f44..000000000 --- a/krebs/update-nixpkgs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -dir=$(dirname $0) -oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ - --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-23.05' \ -> $dir/nixpkgs.json -newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" -- cgit v1.2.3 From 7d1fba58b51f64c31c6c6783cb8d41b42db6feb3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:42:15 +0100 Subject: update flake.lock --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 7ca0c5f9b..6fba339f5 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693844670, - "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", + "lastModified": 1702151865, + "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", + "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd", "type": "github" }, "original": { -- cgit v1.2.3 From c441ad385478b29c763d3acc430c6596add9c98a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:54:18 +0100 Subject: mastodon: set streamingProcesses --- krebs/2configs/mastodon.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index af308b2c7..2a3dc8419 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -13,6 +13,7 @@ enable = true; localDomain = "social.krebsco.de"; configureNginx = true; + streamingProcesses = 3; trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; smtp.createLocally = false; smtp.fromAddress = "derp"; -- cgit v1.2.3 From d20f33ca775ca553aff70d069d39de635c1287f9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 12:18:18 +0100 Subject: mastodon: upgrade postgresql 11 -> 16 --- krebs/2configs/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 2a3dc8419..ab400955e 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -3,7 +3,7 @@ services.postgresql = { enable = true; dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; - package = pkgs.postgresql_11; + package = pkgs.postgresql_16; }; systemd.tmpfiles.rules = [ "d /var/state/postgresql 0700 postgres postgres -" -- cgit v1.2.3 From 6ce52ce8e14dfa0a0197d137f858d98028597edd Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 12:38:50 +0100 Subject: krops: fix flake.lock reference for ci --- krebs/krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/krops.nix b/krebs/krops.nix index c55865d54..eba966b4f 100644 --- a/krebs/krops.nix +++ b/krebs/krops.nix @@ -11,7 +11,7 @@ nixpkgs = if test then { derivation = let rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; - sha256 = (lib.importJSON ../flake.lock).nixpkgs.locked.narHash; + sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash; in '' with import (builtins.fetchTarball { url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; -- cgit v1.2.3 From 316e8431c2723e258f9939dfe182f6ce3e7b0b89 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 13:09:09 +0100 Subject: default: open retiolum ports --- krebs/2configs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 0d55a01fa..dc02f54ae 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -9,6 +9,8 @@ with import ../../lib/pure.nix { inherit lib; }; krebs.announce-activation.enable = true; krebs.enable = true; krebs.tinc.retiolum.enable = mkDefault true; + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; # trust krebs ACME CA krebs.ssl.trustIntermediate = true; -- cgit v1.2.3 From 75374a27f903538601a124e1b99c53815bb6c4a6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 13:22:20 +0100 Subject: default: add more retiolum options --- krebs/2configs/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index dc02f54ae..5d64555c8 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -8,7 +8,15 @@ with import ../../lib/pure.nix { inherit lib; }; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = mkDefault true; + + # retiolum + krebs.tinc.retiolum = { + enable = mkDefault true; + extraConfig = '' + AutoConnect = yes + LocalDiscovery = yes + ''; + }; networking.firewall.allowedTCPPorts = [ 655 ]; networking.firewall.allowedUDPPorts = [ 655 ]; -- cgit v1.2.3 From a6ed47e69154703a0511f207ca598fc5f918de22 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 13:22:35 +0100 Subject: kartei: remove port 0 shenanigans --- kartei/krebs/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 6c5c86ead..7e3f1b542 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -87,7 +87,6 @@ in { "irc.r" "wiki.r" ]; - tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc @@ -114,7 +113,6 @@ in { "go.r" "rss.r" ]; - tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc @@ -225,7 +223,6 @@ in { "build.puyak.r" "cgit.puyak.r" ]; - tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955 -- cgit v1.2.3 From 5beea992dd6df7e78f845131aa7f6cee2d49d963 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 14:13:07 +0100 Subject: sync-containers3: print ping timeout reasons before container kill --- krebs/3modules/sync-containers3.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index cb239b955..d3a65bd4c 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -155,7 +155,7 @@ in { # echo 'container is reachable, continueing' continue else - # echo 'container seems dead, killing' + echo 'container seems dead, killing' break fi else -- cgit v1.2.3 From d165a0871caadf7686f5ca56a54ea0e95b2698eb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 14:13:22 +0100 Subject: mastodon-proxy: add acmeFallbackHost --- krebs/2configs/mastodon-proxy.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 4d359c3fe..35bf6020d 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -5,6 +5,7 @@ virtualHosts."social.krebsco.de" = { forceSSL = true; enableACME = true; + acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 # recommendedProxySettings = true; -- cgit v1.2.3 From 25d035de777df95cd0c809e647d942a75d5a4906 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 16:43:46 +0100 Subject: hotdog: add nginx config for acme in container --- krebs/1systems/hotdog/config.nix | 1 + krebs/2configs/nginx.nix | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 krebs/2configs/nginx.nix diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 75a8a0da1..0a103ed1a 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -4,6 +4,7 @@ imports = [ ../../../krebs ../../../krebs/2configs + ../../../krebs/2configs/nginx.nix ../../../krebs/2configs/buildbot-stockholm.nix ../../../krebs/2configs/binary-cache/nixos.nix diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix new file mode 100644 index 000000000..812093a7e --- /dev/null +++ b/krebs/2configs/nginx.nix @@ -0,0 +1,24 @@ +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "spam@krebsco.de"; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + enableReload = true; + + virtualHosts.default = { + default = true; + locations."= /etc/os-release".extraConfig = '' + default_type text/plain; + alias /etc/os-release; + ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; + }; + }; +} -- cgit v1.2.3 From 04f538164ce11ce977a851b6de2a9d2c5f7a9adb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 19:12:20 +0100 Subject: fix ssl cert for social.krebsco.de --- krebs/2configs/mastodon-proxy.nix | 12 ++---------- krebs/2configs/mastodon.nix | 11 ++--------- krebs/2configs/reaktor2.nix | 2 ++ 3 files changed, 6 insertions(+), 19 deletions(-) diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 35bf6020d..b579a5031 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -8,17 +8,9 @@ acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 - # recommendedProxySettings = true; - proxyPass = "http://hotdog.r"; + recommendedProxySettings = true; + proxyPass = "https://hotdog.r"; proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; }; }; }; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index ab400955e..ebc4207a0 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -19,18 +19,11 @@ smtp.fromAddress = "derp"; }; - services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { - forceSSL = lib.mkForce false; - enableACME = lib.mkForce false; - locations."@proxy".extraConfig = '' - proxy_redirect off; - proxy_pass_header Server; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - ''; - }; + security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; networking.firewall.allowedTCPPorts = [ 80 + 443 ]; environment.systemPackages = [ diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index db7b794f4..e84827656 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -526,6 +526,8 @@ in { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; }; services.nginx.virtualHosts."bedge.r" = { -- cgit v1.2.3 From 9c3e9214b028506aaa9254a65842c2318ed11fed Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 5 Jan 2024 23:34:02 +0100 Subject: kartei tv: init leg --- kartei/tv/hosts/leg.nix | 24 ++++++++++++++++++++++++ kartei/tv/wiregrill/leg.pub | 1 + 2 files changed, 25 insertions(+) create mode 100644 kartei/tv/hosts/leg.nix create mode 100644 kartei/tv/wiregrill/leg.pub diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix new file mode 100644 index 000000000..aa023b42d --- /dev/null +++ b/kartei/tv/hosts/leg.nix @@ -0,0 +1,24 @@ +{ + nets = { + retiolum = { + ip4.addr = "10.243.13.43"; + aliases = [ + "leg.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsfL4VK3WbgbWVYsOA0TJ3iswRrvfE/z/TbNTtzULGPSA6bTG8QXO + f2cm6aY6UriMktJL6GB3XNYlDZDKi74bNOXP+O/p7dTr5g9PWjYeqLFiLFr0pwWi + pooKxrAcPEJ8khhCI7eXVGL1baiHZsPCZLmPXm+c3qke6uY/48zmt0SG3WwjybF/ + JMbxE7XTMrsO28PiOZgWrXqZJgLhKygcz9WGMkQ9CcjnHobKIoTRWHILIsEPjR2s + /vNeGTa6v9/SpDQtHlfiELNxQAHUXU0//hJvEyH4dMS+vJKNQlL9z84fQqhZGfh0 + nN++k9cHwSPDusbMqB2ncpx6v8ieUpCsewIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = " qmxNtjkjzXP4QCIJwXLncYFrIfU7royMlQNSVvR3XKH"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg"; + syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU"; +} diff --git a/kartei/tv/wiregrill/leg.pub b/kartei/tv/wiregrill/leg.pub new file mode 100644 index 000000000..7e75edffe --- /dev/null +++ b/kartei/tv/wiregrill/leg.pub @@ -0,0 +1 @@ +tlGh9gpV09TspLVV/9+Z5T5fhMAQcz5c5L3KNvR/d1I= -- cgit v1.2.3 From 191ee037480e0837091c0dbc7bf8ec42dd7f93b4 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 5 Jan 2024 23:40:07 +0100 Subject: lib: don't reexport krops' lib --- lib/pure.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/pure.nix b/lib/pure.nix index 3329db022..3fe51cd54 100644 --- a/lib/pure.nix +++ b/lib/pure.nix @@ -23,7 +23,6 @@ let git = import ./git.nix { inherit (stockholm) lib; }; haskell = import ./haskell.nix { inherit (stockholm) lib; }; krebs = import ./krebs stockholm.lib; - krops = import ../submodules/krops/lib; shell = import ./shell.nix { inherit (stockholm) lib; }; systemd = { encodeName = replaceStrings ["/"] ["\\x2f"]; -- cgit v1.2.3 From 3ab426ea5bff850471eb4f9470e58dec75be8438 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 8 Jan 2024 20:47:57 +0100 Subject: kartei tv zoppo: 10.243.13.{43 -> 45} --- kartei/tv/hosts/zoppo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix index 4fcbe76c2..4d312105f 100644 --- a/kartei/tv/hosts/zoppo.nix +++ b/kartei/tv/hosts/zoppo.nix @@ -1,7 +1,7 @@ { nets = { retiolum = { - ip4.addr = "10.243.13.43"; + ip4.addr = "10.243.13.45"; aliases = [ "zoppo.r" ]; -- cgit v1.2.3 From cc61ce408000c5ac87602f96b26fcb04ea5c174b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 9 Jan 2024 00:59:13 +0100 Subject: sync-containers3: fix dns issues --- krebs/3modules/sync-containers3.nix | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index d3a65bd4c..7373592a5 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -58,6 +58,8 @@ in { pkgs.jq ]; networking.useDHCP = lib.mkForce true; + networking.useHostResolvConf = false; + services.resolved.enable = true; systemd.services.autoswitch = { environment = { NIX_REMOTE = "daemon"; @@ -297,9 +299,6 @@ in { (lib.mkIf (cfg.containers != {}) { # networking - # needed because otherwise we lose local dns - environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; - boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; systemd.network.networks.ctr0 = { name = "ctr0"; @@ -312,6 +311,9 @@ in { ConfigureWithoutCarrier = true; DHCPServer = "yes"; }; + dhcpServerConfig = { + DNS = "9.9.9.9"; + }; }; systemd.network.netdevs.ctr0.netdevConfig = { Kind = "bridge"; @@ -344,6 +346,12 @@ in { networking.useHostResolvConf = false; networking.useNetworkd = true; + services.resolved = { + enable = true; + extraConfig = '' + Domains=~. + ''; + }; systemd.network = { enable = true; networks.eth0 = { -- cgit v1.2.3