From 606f88e4f0a8c257f9e6be94ca8469da04b381cc Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 22 Nov 2022 20:15:44 +0100 Subject: kartei: init --- kartei/makefu/default.nix | 393 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 393 insertions(+) create mode 100644 kartei/makefu/default.nix (limited to 'kartei/makefu/default.nix') diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix new file mode 100644 index 000000000..f9997b2d2 --- /dev/null +++ b/kartei/makefu/default.nix @@ -0,0 +1,393 @@ +## generate keys with: +# tinc generate-keys +# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host + +with import ../../lib; +{ config, ... }: let + + hostDefaults = hostName: host: foldl' recursiveUpdate {} [ + { + owner = config.krebs.users.makefu; + } + # Retiolum defaults + (let + pubkey-path = ./retiolum + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.retiolum = { + tinc.pubkey = readFile pubkey-path; + aliases = [ + "${hostName}.r" + ]; + ip6.addr = + (krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address; + }; + }) + # Retiolum ed25519 keys + (let + pubkey-path = ./retiolum + "/${hostName}_ed25519.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.retiolum.tinc.pubkey_ed25519 = readFile pubkey-path; + }) + # Wiregrill defaults + (let + pubkey-path = ./wiregrill + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.wiregrill = { + aliases = [ + "${hostName}.w" + ]; + ip6.addr = + (krebs.genipv6 "wiregrill" "makefu" { inherit hostName; }).address; + wireguard.pubkey = readFile pubkey-path; + }; + }) + # SSHD defaults + (let + pubkey-path = ./sshd + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + ssh.pubkey = readFile pubkey-path; + # We assume that if the sshd pubkey exits then there must be a privkey in + # the screts store as well + ssh.privkey.path = ; + }) + host + ]; + + pub-for = name: builtins.readFile (./ssh + "/${name}.pub"); + w6 = ip: (krebs.genipv6 "wiregrill" "makefu" ip).address; +in { + hosts = mapAttrs hostDefaults { + cake = rec { + cores = 4; + ci = false; + nets = { + retiolum.ip4.addr = "10.243.136.236"; + }; + }; + crapi = rec { # raspi1 + cores = 1; + ci = false; + nets = { + retiolum.ip4.addr = "10.243.136.237"; + }; + }; + firecracker = { + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.12.12"; + }; + }; + + studio = rec { + ci = false; + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.227.163"; + }; + }; + fileleech = rec { + ci = false; + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.113.98"; + }; + }; + tsp = { + ci = true; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.0.212"; + }; + }; + x = { + ci = true; + cores = 4; + syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; + nets = { + retiolum.ip4.addr = "10.243.0.91"; + wiregrill = { + # defaults + }; + }; + + }; + filepimp = rec { + ci = false; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.153.102"; + }; + }; + + omo = rec { + ci = true; + cores = 2; + syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; + nets = { + retiolum = { + ip4.addr = "10.243.0.89"; + aliases = [ + "omo.r" + "dcpp.omo.r" + "backup.makefu.r" + "torrent.omo.r" + "music.omo.r" + "music.makefu.r" + ]; + }; + }; + }; + wbob = rec { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.214.15"; + aliases = [ + "wbob.r" + "hydra.wbob.r" + "log.wbob.r" + ]; + }; + }; + }; + latte = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + latte.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 4; + nets = rec { + internet = { + ip4.addr = "178.254.30.202"; + ip6.addr = "2a00:6800:3:18c::2"; + aliases = [ + "latte.i" + ]; + }; + #wiregrill = { + # via = internet; + # ip4.addr = "10.244.245.1"; + # ip6.addr = w6 "1"; + # wireguard.port = 51821; + # wireguard.subnets = [ + # (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + # "10.244.245.0/24" # required for routing directly to gum via rockit + # ]; + #}; + retiolum = { + via = internet; + ip4.addr = "10.243.0.214"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "latte.r" + "torrent.latte.r" + ]; + }; + }; + }; + gum = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + rss.euer IN A ${nets.internet.ip4.addr} + o.euer IN A ${nets.internet.ip4.addr} + bw.euer IN A ${nets.internet.ip4.addr} + bookmark.euer IN A ${nets.internet.ip4.addr} + boot IN A ${nets.internet.ip4.addr} + boot.euer IN A ${nets.internet.ip4.addr} + cache.euer IN A ${nets.internet.ip4.addr} + cache.gum IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} + dl.euer IN A ${nets.internet.ip4.addr} + dns.euer IN A ${nets.internet.ip4.addr} + dockerhub IN A ${nets.internet.ip4.addr} + euer IN A ${nets.internet.ip4.addr} + euer IN MX 1 aspmx.l.google.com. + ghook IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} + gold IN A ${nets.internet.ip4.addr} + graph IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. + iso.euer IN A ${nets.internet.ip4.addr} + feed.euer IN A ${nets.internet.ip4.addr} + board.euer IN A ${nets.internet.ip4.addr} + etherpad.euer IN A ${nets.internet.ip4.addr} + mediengewitter IN CNAME over.dose.io. + mon.euer IN A ${nets.internet.ip4.addr} + netdata.euer IN A ${nets.internet.ip4.addr} + nixos.unstable IN CNAME krebscode.github.io. + photostore IN A ${nets.internet.ip4.addr} + pigstarter IN CNAME makefu.github.io. + share.euer IN A ${nets.internet.ip4.addr} + wg.euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} + wikisearch IN A ${nets.internet.ip4.addr} + + meet.euer IN A ${nets.internet.ip4.addr} + work.euer IN A ${nets.internet.ip4.addr} + admin.work.euer IN A ${nets.internet.ip4.addr} + push.work.euer IN A ${nets.internet.ip4.addr} + api.work.euer IN A ${nets.internet.ip4.addr} + maps.work.euer IN A ${nets.internet.ip4.addr} + play.work.euer IN A ${nets.internet.ip4.addr} + ul.work.euer IN A ${nets.internet.ip4.addr} + music.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 8; + nets = rec { + internet = { + ip4.addr = "142.132.189.140"; + ip6.addr = "fe80::9400:1ff:fe24:33f4"; + aliases = [ + "gum.i" + ]; + }; + wiregrill = { + via = internet; + ip4.addr = "10.244.245.1"; + ip6.addr = w6 "1"; + wireguard.port = 51821; + wireguard.subnets = [ + (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + "10.244.245.0/24" # required for routing directly to gum via rockit + ]; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.0.213"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "gum.r" + "blog.gum.r" + "blog.makefu.r" + "cache.gum.r" + "cgit.gum.r" + "dcpp.gum.r" + "dcpp.nextgum.r" + "graph.makefu.r" + "logs.makefu.r" + "netdata.makefu.r" + "nextgum.r" + "o.gum.r" + "search.makefu.r" + "stats.makefu.r" + "torrent.gum.r" + "tracker.makefu.r" + "wiki.gum.r" + "wiki.makefu.r" + "warrior.gum.r" + "rss.makefu.r" + "sick.makefu.r" + "dl.gum.r" + "dl.makefu.r" + ]; + }; + }; + }; + + sdev = rec { + ci = true; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.83.237"; + }; + }; + + +# non-stockholm + + flap = rec { + cores = 1; + extraZones = { + "krebsco.de" = '' + flap IN A ${nets.internet.ip4.addr} + ''; + }; + nets = { + internet = { + ip4.addr = "162.248.11.162"; + aliases = [ + "flap.i" + ]; + }; + retiolum = { + ip4.addr = "10.243.211.172"; + }; + }; + }; + + nukular = rec { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.231.219"; + }; + }; + }; + + + shackdev = rec { # router@shack + cores = 1; + nets.wiregrill.ip4.addr = "10.244.245.2"; + }; + + rockit = rec { # router@home + cores = 1; + nets.wiregrill.ip4.addr = "10.244.245.3"; + }; + + senderechner = rec { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.0.163"; + }; + }; + }; + }; + users = rec { + makefu = { + mail = "makefu@x.r"; + pubkey = pub-for "makefu.x"; + pgp.pubkeys.default = builtins.readFile ./pgp/default.asc; + pgp.pubkeys.brain = builtins.readFile ./pgp/brain.asc; + }; + makefu-omo = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.omo"; + }; + makefu-tsp = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.tsp"; + }; + makefu-vbob = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.vbob"; + }; + makefu-tempx = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.tempx"; + }; + makefu-android = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.android"; + }; + makefu-remote-builder = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.remote-builder"; + }; + makefu-bob = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.bob"; + }; + }; +} -- cgit v1.2.3